Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
pdfmagic.exe

Overview

General Information

Sample Name:pdfmagic.exe
Analysis ID:793347
MD5:b7819389909c4d9dae3c9a6135ab1319
SHA1:4a638f17e7965f2ee2998405b0822c5881c9594b
SHA256:6e837d04c0c0951d671e7e04140dee81db2263d27f7346c4390d148b4f829a65
Infos:

Detection

Score:39
Range:0 - 100
Whitelisted:false
Confidence:60%

Signatures

Contains functionality to log keystrokes (.Net Source)
.NET source code contains potential unpacker
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Detected potential crypto function
Sample execution stops while process was sleeping (likely an evasion)
JA3 SSL client fingerprint seen in connection with other malware
Contains functionality to communicate with device drivers
HTTP GET or POST without a user agent
Contains long sleeps (>= 3 min)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Sample file is different than original file name gathered from version info
Tries to load missing DLLs
Binary contains a suspicious time stamp
Queries disk information (often used to detect virtual machines)

Classification

Analysis Advice

Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Sample monitors window changes (e.g. starting applications), analyze the sample with the 'Simulates keyboard and window changes' cookbook
  • System is w10x64native
  • pdfmagic.exe (PID: 388 cmdline: C:\Users\user\Desktop\pdfmagic.exe MD5: B7819389909C4D9DAE3C9A6135AB1319)
    • conhost.exe (PID: 4868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 81CA40085FC75BABD2C91D18AA9FFA68)
  • cleanup
No configs have been found
No yara matches
No Sigma rule has matched
No Snort rule has matched

Click to jump to signature section

Show All Signature Results
Source: unknownHTTPS traffic detected: 168.119.56.74:443 -> 192.168.11.20:49840 version: TLS 1.2
Source: pdfmagic.exeStatic PE information: certificate valid
Source: pdfmagic.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Git\pdfmagicwpf\obj\Release\PdfMagic.pdb source: pdfmagic.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: pdfmagic.exe
Source: Binary string: D:\Users\micde\Repo\GitHub\WpfScreenHelper\src\WpfScreenHelper\obj\Release\net40\WpfScreenHelper.pdbSHA256 source: pdfmagic.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: pdfmagic.exe
Source: Binary string: D:\Users\micde\Repo\GitHub\WpfScreenHelper\src\WpfScreenHelper\obj\Release\net40\WpfScreenHelper.pdb source: pdfmagic.exe
Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
Source: global trafficHTTP traffic detected: GET /nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_BRAND_NAME HTTP/1.1Host: start.searchmagiconline.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_SIGNATURE HTTP/1.1Host: start.searchmagiconline.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_OSOU HTTP/1.1Host: start.searchmagiconline.com
Source: global trafficHTTP traffic detected: GET /time?session_id=f78b3e19-f0e0-4c4e-b8a2-62b76c7417db&app_id=1612258559243754&emid=BFEBFBFF000906EDG515600503D05099DB2398&install_version=1111&identity=searchmagiconline&sig=BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE&download_browser=edge_chrome&os_version=10.0.19041&r=1659400826 HTTP/1.1Host: start.searchmagiconline.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /time?session_id=f78b3e19-f0e0-4c4e-b8a2-62b76c7417db&app_id=1612258559243754&emid=BFEBFBFF000906EDG515600503D05099DB2398&install_version=1111&identity=searchmagiconline&sig=BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE&download_browser=edge_chrome&os_version=10.0.19041&r=1659400826 HTTP/1.1Host: start.searchmagiconline.comConnection: Keep-Alive
Source: unknownNetwork traffic detected: HTTP traffic on port 49841 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49842 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49842
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49841
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49840
Source: unknownNetwork traffic detected: HTTP traffic on port 49844 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 49840 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49844
Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
Source: pdfmagic.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: pdfmagic.exeString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: pdfmagic.exeString found in binary or memory: http://cacerts.digicert.com/NETFoundationProjectsCodeSigningCA.crt0
Source: pdfmagic.exe, 00000001.00000002.104956100289.000000000F040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: pdfmagic.exeString found in binary or memory: http://crl.globalsign.com/ca/gstsacasha384g4.crl0
Source: pdfmagic.exeString found in binary or memory: http://crl.globalsign.com/gsextendcodesignsha2g3.crl0&
Source: pdfmagic.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0G
Source: pdfmagic.exeString found in binary or memory: http://crl.globalsign.com/root-r3.crl0b
Source: pdfmagic.exeString found in binary or memory: http://crl.globalsign.com/root-r6.crl0G
Source: pdfmagic.exe, 00000001.00000002.104956100289.000000000F040000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: pdfmagic.exeString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: pdfmagic.exeString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
Source: pdfmagic.exeString found in binary or memory: http://crl3.digicert.com/NETFoundationProjectsCodeSigningCA.crl0E
Source: pdfmagic.exeString found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: pdfmagic.exeString found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: pdfmagic.exeString found in binary or memory: http://crl4.digicert.com/NETFoundationProjectsCodeSigningCA.crl0L
Source: pdfmagic.exeString found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: pdfmagic.exe, 00000001.00000003.103712020666.00000000058E6000.00000004.00000020.00020000.00000000.sdmp, pdfmagic.exe, 00000001.00000003.103711093018.00000000058E6000.00000004.00000020.00020000.00000000.sdmp, pdfmagic.exe, 00000001.00000003.103710113087.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, pdfmagic.exe, 00000001.00000003.103710763408.00000000058E6000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://en.wikips
Source: pdfmagic.exeString found in binary or memory: http://james.newtonking.com/projects/json
Source: pdfmagic.exeString found in binary or memory: http://ocsp.digicert.com0C
Source: pdfmagic.exeString found in binary or memory: http://ocsp.digicert.com0K
Source: pdfmagic.exeString found in binary or memory: http://ocsp.digicert.com0N
Source: pdfmagic.exeString found in binary or memory: http://ocsp.digicert.com0O
Source: pdfmagic.exeString found in binary or memory: http://ocsp.globalsign.com/ca/gstsacasha384g40C
Source: pdfmagic.exeString found in binary or memory: http://ocsp2.globalsign.com/gsextendcodesignsha2g30U
Source: pdfmagic.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr306
Source: pdfmagic.exeString found in binary or memory: http://ocsp2.globalsign.com/rootr606
Source: pdfmagic.exe, 00000001.00000002.104927863708.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: pdfmagic.exeString found in binary or memory: http://secure.globalsign.com/cacert/gsextendcodesignsha2g3ocsp.crt0
Source: pdfmagic.exeString found in binary or memory: http://secure.globalsign.com/cacert/gstsacasha384g4.crt0
Source: pdfmagic.exe, 00000001.00000002.104930076481.00000000033FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://suggestqueries.google.com/complete/search?output
Source: pdfmagic.exeString found in binary or memory: http://www.digicert.com/CPS0
Source: pdfmagic.exe, 00000001.00000002.104930076481.00000000033FA000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.mozilla.org/2006/browser/search/
Source: pdfmagic.exe, 00000001.00000002.104930076481.0000000003406000.00000004.00000800.00020000.00000000.sdmp, pdfmagic.exe, 00000001.00000002.104930076481.00000000033FE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://zsrc.searchmagiconline.com?39f87228584a95e18f1681cdfcd1e509=H1xAXFNHX19ZVlQNEQQwBw9cQ1pQRl1bU
Source: pdfmagic.exeString found in binary or memory: https://appv.pdfmagiconline.com/
Source: pdfmagic.exeString found in binary or memory: https://github.com/JamesNK/Newtonsoft.Json
Source: pdfmagic.exeString found in binary or memory: https://www.digicert.com/CPS0
Source: pdfmagic.exeString found in binary or memory: https://www.globalsign.com/repository/0
Source: pdfmagic.exeString found in binary or memory: https://www.google-analytics.com/collect
Source: pdfmagic.exeString found in binary or memory: https://www.newtonsoft.com/json
Source: pdfmagic.exeString found in binary or memory: https://www.newtonsoft.com/jsonschema
Source: pdfmagic.exeString found in binary or memory: https://www.nuget.org/packages/Newtonsoft.Json.Bson
Source: pdfmagic.exe, 00000001.00000002.104930076481.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, pdfmagic.exe, 00000001.00000002.104930076481.0000000003406000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pdfmagiconline.com
Source: pdfmagic.exe, 00000001.00000002.104927863708.0000000003281000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pdfmagiconline.com/eula
Source: pdfmagic.exeString found in binary or memory: https://www.pdfmagiconline.com/eula?
Source: pdfmagic.exe, 00000001.00000002.104930076481.000000000359F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pdfmagiconline.com/privacy
Source: pdfmagic.exeString found in binary or memory: https://www.pdfmagiconline.com/privacy?
Source: pdfmagic.exeString found in binary or memory: https://www.pdfmagiconline.com/thankyou?tyid=
Source: pdfmagic.exe, 00000001.00000002.104930076481.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, pdfmagic.exe, 00000001.00000002.104930076481.0000000003406000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.pdfmagiconline.com/uninstall
Source: pdfmagic.exeString found in binary or memory: https://www.searchmagiconline.com/eula?
Source: pdfmagic.exeString found in binary or memory: https://www.searchmagiconline.com/privacy?
Source: pdfmagic.exeString found in binary or memory: https://www.searchmagiconline.com/uninstall?
Source: pdfmagic.exeString found in binary or memory: https://www.searchmagiconline.com?
Source: unknownDNS traffic detected: queries for: start.searchmagiconline.com
Source: global trafficHTTP traffic detected: GET /nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_BRAND_NAME HTTP/1.1Host: start.searchmagiconline.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_SIGNATURE HTTP/1.1Host: start.searchmagiconline.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_OSOU HTTP/1.1Host: start.searchmagiconline.com
Source: global trafficHTTP traffic detected: GET /time?session_id=f78b3e19-f0e0-4c4e-b8a2-62b76c7417db&app_id=1612258559243754&emid=BFEBFBFF000906EDG515600503D05099DB2398&install_version=1111&identity=searchmagiconline&sig=BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE&download_browser=edge_chrome&os_version=10.0.19041&r=1659400826 HTTP/1.1Host: start.searchmagiconline.comConnection: Keep-Alive
Source: global trafficHTTP traffic detected: GET /time?session_id=f78b3e19-f0e0-4c4e-b8a2-62b76c7417db&app_id=1612258559243754&emid=BFEBFBFF000906EDG515600503D05099DB2398&install_version=1111&identity=searchmagiconline&sig=BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE&download_browser=edge_chrome&os_version=10.0.19041&r=1659400826 HTTP/1.1Host: start.searchmagiconline.comConnection: Keep-Alive
Source: unknownHTTPS traffic detected: 168.119.56.74:443 -> 192.168.11.20:49840 version: TLS 1.2

Key, Mouse, Clipboard, Microphone and Screen Capturing

barindex
Source: pdfmagic.exe, InterceptKeys.cs.Net Code: SetHook
Source: 1.0.pdfmagic.exe.900000.0.unpack, InterceptKeys.cs.Net Code: SetHook
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_030596B01_2_030596B0
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_0305B9101_2_0305B910
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_03059F801_2_03059F80
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_030593681_2_03059368
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_0305312B1_2_0305312B
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_03057F341_2_03057F34
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_0659CED81_2_0659CED8
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_06592F801_2_06592F80
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_0305572C: DeviceIoControl,1_2_0305572C
Source: pdfmagic.exe, 00000001.00000002.104940498810.0000000004281000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs pdfmagic.exe
Source: pdfmagic.exe, 00000001.00000002.104948118305.0000000005EC0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs pdfmagic.exe
Source: pdfmagic.exe, 00000001.00000002.104923826131.000000000130E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs pdfmagic.exe
Source: pdfmagic.exe, 00000001.00000002.104945217031.0000000005B50000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameWpfScreenHelper.dll@ vs pdfmagic.exe
Source: pdfmagic.exeBinary or memory string: OriginalFilenameNewtonsoft.Json.dll2 vs pdfmagic.exe
Source: pdfmagic.exeBinary or memory string: OriginalFilenameWpfScreenHelper.dll@ vs pdfmagic.exe
Source: C:\Users\user\Desktop\pdfmagic.exeSection loaded: edgegdi.dllJump to behavior
Source: pdfmagic.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: C:\Users\user\Desktop\pdfmagic.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Source: unknownProcess created: C:\Users\user\Desktop\pdfmagic.exe C:\Users\user\Desktop\pdfmagic.exe
Source: C:\Users\user\Desktop\pdfmagic.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\pdfmagic.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{41945702-8302-44A6-9445-AC98E8AFA086}\InprocServer32Jump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeFile created: C:\Users\user\AppData\Local\Temp\PdfMagicJump to behavior
Source: classification engineClassification label: sus39.spyw.evad.winEXE@2/1@1/1
Source: pdfmagic.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\pdfmagic.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\e4a1c9189d2b01f018b953e46c80d120\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4868:304:WilStaging_02
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4868:120:WilError_03
Source: Window RecorderWindow detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\pdfmagic.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
Source: pdfmagic.exeStatic PE information: Virtual size of .text is bigger than: 0x100000
Source: pdfmagic.exeStatic file information: File size 4538104 > 1048576
Source: pdfmagic.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: pdfmagic.exeStatic PE information: certificate valid
Source: pdfmagic.exeStatic PE information: Raw size of .text is bigger than: 0x100000 < 0x437a00
Source: pdfmagic.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: pdfmagic.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Binary string: C:\Git\pdfmagicwpf\obj\Release\PdfMagic.pdb source: pdfmagic.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdbSHA256 source: pdfmagic.exe
Source: Binary string: D:\Users\micde\Repo\GitHub\WpfScreenHelper\src\WpfScreenHelper\obj\Release\net40\WpfScreenHelper.pdbSHA256 source: pdfmagic.exe
Source: Binary string: /_/Src/Newtonsoft.Json/obj/Release/net45/Newtonsoft.Json.pdb source: pdfmagic.exe
Source: Binary string: D:\Users\micde\Repo\GitHub\WpfScreenHelper\src\WpfScreenHelper\obj\Release\net40\WpfScreenHelper.pdb source: pdfmagic.exe

Data Obfuscation

barindex
Source: pdfmagic.exe, EmbeddedAssembly.cs.Net Code: Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 1.0.pdfmagic.exe.900000.0.unpack, EmbeddedAssembly.cs.Net Code: Load System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_0305F392 push eax; iretd 1_2_0305F399
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_030510A3 push D000005Fh; iretd 1_2_030510C1
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_03053703 pushad ; iretd 1_2_03053711
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_03053733 pushfd ; iretd 1_2_03053741
Source: C:\Users\user\Desktop\pdfmagic.exeCode function: 1_2_03050FF0 pushfd ; iretd 1_2_03050FF1
Source: pdfmagic.exeStatic PE information: 0x82A6C0D9 [Fri Jun 17 23:33:45 2039 UTC]
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion

barindex
Source: C:\Users\user\Desktop\pdfmagic.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_DiskDrive
Source: C:\Users\user\Desktop\pdfmagic.exe TID: 7492Thread sleep time: -7378697629483816s >= -30000sJump to behavior
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Users\user\Desktop\pdfmagic.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeWindow / User API: threadDelayed 8990Jump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeFile opened: PhysicalDrive0Jump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeThread delayed: delay time: 922337203685477Jump to behavior
Source: pdfmagic.exe, 00000001.00000002.104923826131.00000000013C9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll9
Source: C:\Users\user\Desktop\pdfmagic.exeProcess token adjusted: DebugJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeMemory allocated: page read and write | page guardJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Users\user\Desktop\pdfmagic.exe VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Web\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Web.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\seguili.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\seguisli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\segoeuii.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\seguisbi.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\segoeuiz.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\seguibl.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\seguibli.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationTypes\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationTypes.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\UIAutomationProvider\v4.0_4.0.0.0__31bf3856ad364e35\UIAutomationProvider.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeQueries volume information: C:\Windows\Fonts\arial.ttf VolumeInformationJump to behavior
Source: C:\Users\user\Desktop\pdfmagic.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Windows Management Instrumentation
1
DLL Side-Loading
1
Process Injection
1
Disable or Modify Tools
1
Input Capture
111
Security Software Discovery
Remote Services1
Input Capture
Exfiltration Over Other Network Medium11
Encrypted Channel
Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts1
DLL Side-Loading
131
Virtualization/Sandbox Evasion
LSASS Memory131
Virtualization/Sandbox Evasion
Remote Desktop Protocol1
Archive Collected Data
Exfiltration Over Bluetooth1
Ingress Tool Transfer
Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Process Injection
Security Account Manager1
Application Window Discovery
SMB/Windows Admin SharesData from Network Shared DriveAutomated Exfiltration2
Non-Application Layer Protocol
Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)1
Obfuscated Files or Information
NTDS122
System Information Discovery
Distributed Component Object ModelInput CaptureScheduled Transfer3
Application Layer Protocol
SIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Software Packing
LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
Replication Through Removable MediaLaunchdRc.commonRc.common1
Timestomp
Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
External Remote ServicesScheduled TaskStartup ItemsStartup Items1
DLL Side-Loading
DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand
SourceDetectionScannerLabelLink
pdfmagic.exe0%ReversingLabs
pdfmagic.exe0%VirustotalBrowse
No Antivirus matches
No Antivirus matches
SourceDetectionScannerLabelLink
start.searchmagiconline.com0%VirustotalBrowse
SourceDetectionScannerLabelLink
https://www.searchmagiconline.com/uninstall?0%Avira URL Cloudsafe
https://appv.pdfmagiconline.com/0%VirustotalBrowse
https://www.pdfmagiconline.com/uninstall0%Avira URL Cloudsafe
https://www.pdfmagiconline.com/eula?0%Avira URL Cloudsafe
https://www.pdfmagiconline.com/thankyou?tyid=0%Avira URL Cloudsafe
https://appv.pdfmagiconline.com/0%Avira URL Cloudsafe
https://start.searchmagiconline.com/nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_BRAND_NAME0%Avira URL Cloudsafe
https://www.searchmagiconline.com/eula?0%Avira URL Cloudsafe
https://www.pdfmagiconline.com0%Avira URL Cloudsafe
https://start.searchmagiconline.com/time?session_id=f78b3e19-f0e0-4c4e-b8a2-62b76c7417db&app_id=1612258559243754&emid=BFEBFBFF000906EDG515600503D05099DB2398&install_version=1111&identity=searchmagiconline&sig=BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE&download_browser=edge_chrome&os_version=10.0.19041&r=16594008260%Avira URL Cloudsafe
http://james.newtonking.com/projects/json0%Avira URL Cloudsafe
http://en.wikips0%Avira URL Cloudsafe
https://www.pdfmagiconline.com/eula0%Avira URL Cloudsafe
https://start.searchmagiconline.com/nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_OSOU0%Avira URL Cloudsafe
https://www.pdfmagiconline.com/privacy0%Avira URL Cloudsafe
https://www.searchmagiconline.com?0%Avira URL Cloudsafe
http://start.searchmagiconline.com/time?session_id=f78b3e19-f0e0-4c4e-b8a2-62b76c7417db&app_id=1612258559243754&emid=BFEBFBFF000906EDG515600503D05099DB2398&install_version=1111&identity=searchmagiconline&sig=BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE&download_browser=edge_chrome&os_version=10.0.19041&r=16594008260%Avira URL Cloudsafe
http://zsrc.searchmagiconline.com?39f87228584a95e18f1681cdfcd1e509=H1xAXFNHX19ZVlQNEQQwBw9cQ1pQRl1bU0%Avira URL Cloudsafe
https://start.searchmagiconline.com/nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_SIGNATURE0%Avira URL Cloudsafe
https://www.pdfmagiconline.com/privacy?0%Avira URL Cloudsafe
https://www.searchmagiconline.com/privacy?0%Avira URL Cloudsafe
NameIPActiveMaliciousAntivirus DetectionReputation
start.searchmagiconline.com
168.119.56.74
truefalseunknown
NameMaliciousAntivirus DetectionReputation
https://start.searchmagiconline.com/nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_BRAND_NAMEfalse
  • Avira URL Cloud: safe
unknown
https://start.searchmagiconline.com/time?session_id=f78b3e19-f0e0-4c4e-b8a2-62b76c7417db&app_id=1612258559243754&emid=BFEBFBFF000906EDG515600503D05099DB2398&install_version=1111&identity=searchmagiconline&sig=BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE&download_browser=edge_chrome&os_version=10.0.19041&r=1659400826false
  • Avira URL Cloud: safe
unknown
https://start.searchmagiconline.com/nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_OSOUfalse
  • Avira URL Cloud: safe
unknown
http://start.searchmagiconline.com/time?session_id=f78b3e19-f0e0-4c4e-b8a2-62b76c7417db&app_id=1612258559243754&emid=BFEBFBFF000906EDG515600503D05099DB2398&install_version=1111&identity=searchmagiconline&sig=BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE&download_browser=edge_chrome&os_version=10.0.19041&r=1659400826false
  • Avira URL Cloud: safe
unknown
https://start.searchmagiconline.com/nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_SIGNATUREfalse
  • Avira URL Cloud: safe
unknown
NameSourceMaliciousAntivirus DetectionReputation
https://www.pdfmagiconline.com/eula?pdfmagic.exefalse
  • Avira URL Cloud: safe
unknown
https://appv.pdfmagiconline.com/pdfmagic.exefalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
unknown
https://www.pdfmagiconline.com/thankyou?tyid=pdfmagic.exefalse
  • Avira URL Cloud: safe
unknown
https://www.searchmagiconline.com/uninstall?pdfmagic.exefalse
  • Avira URL Cloud: safe
unknown
https://www.pdfmagiconline.com/uninstallpdfmagic.exe, 00000001.00000002.104930076481.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, pdfmagic.exe, 00000001.00000002.104930076481.0000000003406000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.searchmagiconline.com/eula?pdfmagic.exefalse
  • Avira URL Cloud: safe
unknown
https://www.pdfmagiconline.compdfmagic.exe, 00000001.00000002.104930076481.00000000033FA000.00000004.00000800.00020000.00000000.sdmp, pdfmagic.exe, 00000001.00000002.104930076481.0000000003406000.00000004.00000800.00020000.00000000.sdmpfalse
  • Avira URL Cloud: safe
unknown
https://www.newtonsoft.com/jsonpdfmagic.exefalse
    high
    http://james.newtonking.com/projects/jsonpdfmagic.exefalse
    • Avira URL Cloud: safe
    unknown
    http://en.wikipspdfmagic.exe, 00000001.00000003.103712020666.00000000058E6000.00000004.00000020.00020000.00000000.sdmp, pdfmagic.exe, 00000001.00000003.103711093018.00000000058E6000.00000004.00000020.00020000.00000000.sdmp, pdfmagic.exe, 00000001.00000003.103710113087.00000000058E5000.00000004.00000020.00020000.00000000.sdmp, pdfmagic.exe, 00000001.00000003.103710763408.00000000058E6000.00000004.00000020.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://www.pdfmagiconline.com/eulapdfmagic.exe, 00000001.00000002.104927863708.0000000003281000.00000004.00000800.00020000.00000000.sdmpfalse
    • Avira URL Cloud: safe
    unknown
    https://www.newtonsoft.com/jsonschemapdfmagic.exefalse
      high
      http://suggestqueries.google.com/complete/search?outputpdfmagic.exe, 00000001.00000002.104930076481.00000000033FA000.00000004.00000800.00020000.00000000.sdmpfalse
        high
        https://www.nuget.org/packages/Newtonsoft.Json.Bsonpdfmagic.exefalse
          high
          https://www.pdfmagiconline.com/privacypdfmagic.exe, 00000001.00000002.104930076481.000000000359F000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          https://www.searchmagiconline.com?pdfmagic.exefalse
          • Avira URL Cloud: safe
          unknown
          http://zsrc.searchmagiconline.com?39f87228584a95e18f1681cdfcd1e509=H1xAXFNHX19ZVlQNEQQwBw9cQ1pQRl1bUpdfmagic.exe, 00000001.00000002.104930076481.0000000003406000.00000004.00000800.00020000.00000000.sdmp, pdfmagic.exe, 00000001.00000002.104930076481.00000000033FE000.00000004.00000800.00020000.00000000.sdmpfalse
          • Avira URL Cloud: safe
          unknown
          http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namepdfmagic.exe, 00000001.00000002.104927863708.0000000003281000.00000004.00000800.00020000.00000000.sdmpfalse
            high
            https://github.com/JamesNK/Newtonsoft.Jsonpdfmagic.exefalse
              high
              https://www.pdfmagiconline.com/privacy?pdfmagic.exefalse
              • Avira URL Cloud: safe
              unknown
              https://www.searchmagiconline.com/privacy?pdfmagic.exefalse
              • Avira URL Cloud: safe
              unknown
              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs
              IPDomainCountryFlagASNASN NameMalicious
              168.119.56.74
              start.searchmagiconline.comGermany
              24940HETZNER-ASDEfalse
              Joe Sandbox Version:36.0.0 Rainbow Opal
              Analysis ID:793347
              Start date and time:2023-01-27 23:43:48 +01:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 6m 20s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit 20H2 Native physical Machine for testing VM-aware malware (Office 2019, IE 11, Chrome 93, Firefox 91, Adobe Reader DC 21, Java 8 Update 301
              Number of analysed new started processes analysed:7
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:pdfmagic.exe
              Detection:SUS
              Classification:sus39.spyw.evad.winEXE@2/1@1/1
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:Failed
              HCA Information:
              • Successful, ratio: 98%
              • Number of executed functions: 63
              • Number of non-executed functions: 4
              Cookbook Comments:
              • Found application associated with file extension: .exe
              • Exclude process from analysis (whitelisted): dllhost.exe, backgroundTaskHost.exe
              • Excluded IPs from analysis (whitelisted): 142.250.186.174
              • Excluded domains from analysis (whitelisted): wdcpalt.microsoft.com, client.wns.windows.com, login.live.com, ctldl.windowsupdate.com, wdcp.microsoft.com, www.google-analytics.com
              • Not all processes where analyzed, report is missing behavior information
              • Report size getting too big, too many NtAllocateVirtualMemory calls found.
              • Report size getting too big, too many NtOpenKeyEx calls found.
              • Report size getting too big, too many NtProtectVirtualMemory calls found.
              • Report size getting too big, too many NtQueryValueKey calls found.
              • Report size getting too big, too many NtReadVirtualMemory calls found.
              TimeTypeDescription
              23:45:45API Interceptor595x Sleep call for process: pdfmagic.exe modified
              No context
              No context
              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              HETZNER-ASDEfile.exeGet hashmaliciousBrowse
              • 95.217.49.230
              file.exeGet hashmaliciousBrowse
              • 95.217.49.230
              file.exeGet hashmaliciousBrowse
              • 95.217.49.230
              file.exeGet hashmaliciousBrowse
              • 95.217.49.230
              oLgPPJB8Wf.exeGet hashmaliciousBrowse
              • 5.75.149.1
              file.exeGet hashmaliciousBrowse
              • 95.217.49.230
              A831A3EAD1F64D951FADCD5A15CF14E86F9B6B4D418F5.exeGet hashmaliciousBrowse
              • 49.12.118.209
              UtFCaXJ1Wx.exeGet hashmaliciousBrowse
              • 144.76.136.153
              Ddj7ihZUsS.exeGet hashmaliciousBrowse
              • 95.217.146.176
              file.exeGet hashmaliciousBrowse
              • 95.217.49.230
              file.exeGet hashmaliciousBrowse
              • 95.217.49.230
              file.exeGet hashmaliciousBrowse
              • 95.217.49.230
              file.exeGet hashmaliciousBrowse
              • 95.217.49.230
              file.exeGet hashmaliciousBrowse
              • 95.217.49.230
              km68i35vwh.exeGet hashmaliciousBrowse
              • 5.9.190.65
              oasldfie.exeGet hashmaliciousBrowse
              • 95.216.102.32
              3pasdl.exeGet hashmaliciousBrowse
              • 95.216.102.32
              file.exeGet hashmaliciousBrowse
              • 95.217.49.230
              BpbDrhXv3u.exeGet hashmaliciousBrowse
              • 95.217.146.176
              BpbDrhXv3u.exeGet hashmaliciousBrowse
              • 95.217.146.176
              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              3b5074b1b5d032e5620f69f9f700ff0eDq7aiw3LVZzQP6y.exeGet hashmaliciousBrowse
              • 168.119.56.74
              Statement 210826.exeGet hashmaliciousBrowse
              • 168.119.56.74
              ziraat bankasi swift 01 pdf.exeGet hashmaliciousBrowse
              • 168.119.56.74
              Hzgbdtv.exeGet hashmaliciousBrowse
              • 168.119.56.74
              InstallUtil.exeGet hashmaliciousBrowse
              • 168.119.56.74
              Proforma fatura.exeGet hashmaliciousBrowse
              • 168.119.56.74
              eZazqsQj35.exeGet hashmaliciousBrowse
              • 168.119.56.74
              Doge-Miner203.exeGet hashmaliciousBrowse
              • 168.119.56.74
              3dHdV0ogNv.exeGet hashmaliciousBrowse
              • 168.119.56.74
              OdzBdmZPs9.exeGet hashmaliciousBrowse
              • 168.119.56.74
              KM40AkKuFl.exeGet hashmaliciousBrowse
              • 168.119.56.74
              33QcJZuVub.exeGet hashmaliciousBrowse
              • 168.119.56.74
              Lj1WJuaKRz.exeGet hashmaliciousBrowse
              • 168.119.56.74
              sDZH1QiDzt.exeGet hashmaliciousBrowse
              • 168.119.56.74
              file.exeGet hashmaliciousBrowse
              • 168.119.56.74
              file.exeGet hashmaliciousBrowse
              • 168.119.56.74
              Factura Comercial.exeGet hashmaliciousBrowse
              • 168.119.56.74
              bunzipped.exeGet hashmaliciousBrowse
              • 168.119.56.74
              5l2m4wKawU.exeGet hashmaliciousBrowse
              • 168.119.56.74
              FedEx Shipping Document.exeGet hashmaliciousBrowse
              • 168.119.56.74
              No context
              Process:C:\Users\user\Desktop\pdfmagic.exe
              File Type:MS Windows icon resource - 6 icons, 256x256 with PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced, 32 bits/pixel, -128x-128, 32 bits/pixel
              Category:dropped
              Size (bytes):102833
              Entropy (8bit):5.873250860669142
              Encrypted:false
              SSDEEP:384:Bg66XXXPXXX1++L++L++L++wfffD666666D666666D666666D666666PFvvvIPPp:9P8PPPVsjpswefhNN8VXje
              MD5:AB8214CE9FF0F3DC29A8A4DF023C2052
              SHA1:9876F9CAC00AADF88D21D0EA4711F0C85AF10C4A
              SHA-256:2D5A416E8FCAB3E9387883BE26AC8A026C162D177694B9EE4B655491C8A2A7BB
              SHA-512:ED590D04573CFEF5D9402F1F7A86E478EE298D665909AAC1B4AEE06DD8E24E0C41B6D660FC2DBA949E6AD81AE5465D80156ECB30797A3E6E985C1C23EED25663
              Malicious:false
              Reputation:low
              Preview:............ .C...f......... .(.......@@.... .(B......00.... ..%...V.. .... ......|........ .h...I....PNG........IHDR.............\r.f....IDATx.....e...w.k...V(.....H<.C...5...C)..h........@.^.....h<@.%.%..T...X..d.5.....wi....x~...........]3..z2..w.4...K...L.[..I.Q.....^.k......z.....?..........f.*.u.U.o....O..4.r...,o..`.......1..0F......X.;A.y.5.^.....v]P..Pu.>v.z.>.r?.....u....T.(.[e}Sz8e...0F..........#..c..`.........6.>..."'..Z..C.N`e....?.:..mT.H.u.......0F..........#..c..`.......7.}..I.....}...>4..V...}.c.....h.3T.;......#..c..`.......1..0V.......[...:*...2!...@.`.N..o...c..`.......1..0F......X..F..~.C.V.....>_.{.?.).o..{.....0F..........#..c..`........OTc.b...}.Css.>.r...{v.z!....N.........1..0F..........#..cuj..#.{C..y.C........N.....d....h..HE..o...c..`.......1..0F......X..Jw..q...;Y?.Mp.q.\]ry0..<..........^.D.Z..C:r.^G1...o.!.....`.......1..0F...........S3...a........}..^..^..0....dy.w.z...d..S........b............}.o.....p...........#..c..`........:..f@S.
              File type:PE32 executable (console) Intel 80386 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.780053026148029
              TrID:
              • Win32 Executable (generic) Net Framework (10011505/4) 50.01%
              • Win32 Executable (generic) a (10002005/4) 49.97%
              • Generic Win/DOS Executable (2004/3) 0.01%
              • DOS Executable Generic (2002/1) 0.01%
              • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
              File name:pdfmagic.exe
              File size:4538104
              MD5:b7819389909c4d9dae3c9a6135ab1319
              SHA1:4a638f17e7965f2ee2998405b0822c5881c9594b
              SHA256:6e837d04c0c0951d671e7e04140dee81db2263d27f7346c4390d148b4f829a65
              SHA512:b3dcd77789ce9a2208b2496fabdc8328be797b898b25f4bbcadaabf9cdbb121f6c9b3d9ae1433d49df28bc0f62301a8ad8f27fa5b040a650ea10a0ef021dddc7
              SSDEEP:49152:IWqR4AnaxLJw9KIDDzu8MDi4+GICz/VYiNIBd4NXyPr/Sx4fnepVA4GORoEcmam4:OR4JJR8hlG/75NIvPex4vi1n6/AYTM
              TLSH:EC260152E3DC4B66C05FAB787D301D6256F7F84BA079D7CA1A04D9BA08A77808B24737
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L................."...0..zC.........B.C.. ....C...@.. .......................`E.......E...`................................
              Icon Hash:82046ce460080982
              Entrypoint:0x839842
              Entrypoint Section:.text
              Digitally signed:true
              Imagebase:0x400000
              Subsystem:windows cui
              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x82A6C0D9 [Fri Jun 17 23:33:45 2039 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744
              Signature Valid:true
              Signature Issuer:CN=GlobalSign Extended Validation CodeSigning CA - SHA256 - G3, O=GlobalSign nv-sa, C=BE
              Signature Validation Error:The operation completed successfully
              Error Number:0
              Not Before, Not After
              • 24/11/2020 07:29:26 25/11/2023 07:29:26
              Subject Chain
              • E=buzzinnovationltd@gmail.com, CN=BUZZ INNOVATION LTD, O=BUZZ INNOVATION LTD, STREET=11 Hamanofim, L=Herzliya, S=Tel Aviv, C=IL, OID.1.3.6.1.4.1.311.60.2.1.3=IL, SERIALNUMBER=516201944, OID.2.5.4.15=Private Organization
              Version:3
              Thumbprint MD5:4D4F8C382744D99361593ACBD3CBF67A
              Thumbprint SHA-1:23C471B8F01E45B38FFF0EBBE6CBAEB9F6661D13
              Thumbprint SHA-256:C94EBC2716DC3342C78999926133C661A27A6222F920EDE56741710674233167
              Serial:7DA3D815F52D825F2384136D
              Instruction
              jmp dword ptr [00402000h]
              push ebp
              mov ebp, esp
              push edi
              mov edi, dword ptr [ebp+10h]
              push 00000001h
              pop eax
              push ebx
              cpuid
              mov dword ptr [edi], eax
              mov dword ptr [edi+04h], edx
              pop ebx
              pop edi
              mov esp, ebp
              pop ebp
              retn 0010h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              push ebx
              dec eax
              mov eax, 00000001h
              cpuid
              inc ecx
              mov dword ptr [eax], eax
              inc ecx
              mov dword ptr [eax+04h], edx
              pop ebx
              ret
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax-1BFBF6FCh], dh
              add al, 09h
              add al, 00h
              add byte ptr [ecx], cl
              add al, 00h
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              add byte ptr [eax], al
              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x4397f00x4f.text
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x43a0000x198d4.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x4518000x26f8
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x4540000xc.reloc
              IMAGE_DIRECTORY_ENTRY_DEBUG0x4397740x38.text
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0
              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x4378900x437a00unknownunknownunknownunknownIMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0x43a0000x198d40x19a00False0.11270960365853659data5.878581115063716IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
              .reloc0x4540000xc0x200False0.044921875data0.10191042566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
              NameRVASizeTypeLanguageCountry
              RT_ICON0x43a1a00xc43PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced
              RT_ICON0x43adf40x10828Device independent bitmap graphic, 128 x 256 x 32, image size 65536
              RT_ICON0x44b62c0x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16384
              RT_ICON0x44f8640x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9216
              RT_ICON0x451e1c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4096
              RT_ICON0x452ed40x468Device independent bitmap graphic, 16 x 32 x 32, image size 1024
              RT_GROUP_ICON0x45334c0x5adata
              RT_VERSION0x4533b80x31cdata
              RT_MANIFEST0x4536e40x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators
              DLLImport
              mscoree.dll_CorExeMain
              TimestampSource PortDest PortSource IPDest IP
              Jan 27, 2023 23:45:46.137821913 CET49840443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:46.137880087 CET44349840168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:46.138042927 CET49840443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:46.138305902 CET49840443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:46.138318062 CET44349840168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:46.199451923 CET44349840168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:46.199651003 CET49840443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:46.200980902 CET49840443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:46.200989008 CET44349840168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:46.201179981 CET44349840168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:46.202435970 CET49840443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:46.244359016 CET44349840168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:46.358931065 CET44349840168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:46.359064102 CET44349840168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:46.359240055 CET49840443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:46.361078024 CET49840443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:47.290437937 CET49841443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:47.290566921 CET44349841168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:47.290800095 CET49841443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:47.290915012 CET49841443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:47.290955067 CET44349841168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:47.363826990 CET44349841168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:47.365309000 CET49841443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:47.365395069 CET44349841168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:47.734452963 CET44349841168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:47.734711885 CET44349841168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:47.734857082 CET49841443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:47.735126019 CET49841443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:47.735582113 CET49842443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:47.735670090 CET44349842168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:47.735925913 CET49842443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:47.736011028 CET49842443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:47.736044884 CET44349842168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:47.811001062 CET44349842168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:47.812463999 CET49842443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:47.812517881 CET44349842168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:47.998907089 CET44349842168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:47.999191999 CET44349842168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:47.999414921 CET49842443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:47.999598980 CET49842443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:50.766437054 CET4984380192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:50.781750917 CET8049843168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:50.782216072 CET4984380192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:50.783488035 CET4984380192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:50.798579931 CET8049843168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:50.799432993 CET8049843168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:50.804167986 CET49844443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:50.804256916 CET44349844168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:50.804717064 CET49844443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:50.804913998 CET49844443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:50.804964066 CET44349844168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:50.845278978 CET4984380192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:50.873941898 CET44349844168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:50.923388958 CET49844443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:50.974786997 CET49844443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:50.974805117 CET44349844168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:51.580890894 CET44349844168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:51.581104040 CET44349844168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:51.581305027 CET44349844168.119.56.74192.168.11.20
              Jan 27, 2023 23:45:51.581707954 CET49844443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:51.581707954 CET49844443192.168.11.20168.119.56.74
              Jan 27, 2023 23:45:52.310825109 CET49844443192.168.11.20168.119.56.74
              Jan 27, 2023 23:47:30.776448965 CET4984380192.168.11.20168.119.56.74
              Jan 27, 2023 23:47:30.792191029 CET8049843168.119.56.74192.168.11.20
              Jan 27, 2023 23:47:30.792531967 CET4984380192.168.11.20168.119.56.74
              TimestampSource PortDest PortSource IPDest IP
              Jan 27, 2023 23:45:46.117924929 CET5384253192.168.11.201.1.1.1
              Jan 27, 2023 23:45:46.133739948 CET53538421.1.1.1192.168.11.20
              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jan 27, 2023 23:45:46.117924929 CET192.168.11.201.1.1.10x6651Standard query (0)start.searchmagiconline.comA (IP address)IN (0x0001)false
              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jan 27, 2023 23:45:46.133739948 CET1.1.1.1192.168.11.200x6651No error (0)start.searchmagiconline.com168.119.56.74A (IP address)IN (0x0001)false
              • start.searchmagiconline.com
              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.11.2049840168.119.56.74443C:\Users\user\Desktop\pdfmagic.exe
              TimestampkBytes transferredDirectionData


              Session IDSource IPSource PortDestination IPDestination PortProcess
              1192.168.11.2049841168.119.56.74443C:\Users\user\Desktop\pdfmagic.exe
              TimestampkBytes transferredDirectionData


              Session IDSource IPSource PortDestination IPDestination PortProcess
              2192.168.11.2049842168.119.56.74443C:\Users\user\Desktop\pdfmagic.exe
              TimestampkBytes transferredDirectionData


              Session IDSource IPSource PortDestination IPDestination PortProcess
              3192.168.11.2049844168.119.56.74443C:\Users\user\Desktop\pdfmagic.exe
              TimestampkBytes transferredDirectionData


              Session IDSource IPSource PortDestination IPDestination PortProcess
              4192.168.11.2049843168.119.56.7480C:\Users\user\Desktop\pdfmagic.exe
              TimestampkBytes transferredDirectionData
              Jan 27, 2023 23:45:50.783488035 CET109OUTGET /time?session_id=f78b3e19-f0e0-4c4e-b8a2-62b76c7417db&app_id=1612258559243754&emid=BFEBFBFF000906EDG515600503D05099DB2398&install_version=1111&identity=searchmagiconline&sig=BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE&download_browser=edge_chrome&os_version=10.0.19041&r=1659400826 HTTP/1.1
              Host: start.searchmagiconline.com
              Connection: Keep-Alive
              Jan 27, 2023 23:45:50.799432993 CET109INHTTP/1.1 301 Moved Permanently
              Location: https://start.searchmagiconline.com/time?session_id=f78b3e19-f0e0-4c4e-b8a2-62b76c7417db&app_id=1612258559243754&emid=BFEBFBFF000906EDG515600503D05099DB2398&install_version=1111&identity=searchmagiconline&sig=BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE&download_browser=edge_chrome&os_version=10.0.19041&r=1659400826
              Date: Fri, 27 Jan 2023 22:45:50 GMT
              Content-Length: 17
              Content-Type: text/plain; charset=utf-8
              Data Raw: 4d 6f 76 65 64 20 50 65 72 6d 61 6e 65 6e 74 6c 79
              Data Ascii: Moved Permanently


              Session IDSource IPSource PortDestination IPDestination PortProcess
              0192.168.11.2049840168.119.56.74443C:\Users\user\Desktop\pdfmagic.exe
              TimestampkBytes transferredDirectionData
              2023-01-27 22:45:46 UTC0OUTGET /nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_BRAND_NAME HTTP/1.1
              Host: start.searchmagiconline.com
              Connection: Keep-Alive
              2023-01-27 22:45:46 UTC0INHTTP/1.1 200 OK
              Access-Control-Allow-Origin: *
              Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
              Content-Type: application/json;charset=ISO-8859-1
              Date: Fri, 27 Jan 2023 22:45:46 GMT
              Server: Nginx
              Content-Length: 39
              Connection: close
              2023-01-27 22:45:46 UTC0INData Raw: 7b 22 47 45 54 5f 42 52 41 4e 44 5f 4e 41 4d 45 22 3a 22 73 65 61 72 63 68 6d 61 67 69 63 6f 6e 6c 69 6e 65 22 7d 0a
              Data Ascii: {"GET_BRAND_NAME":"searchmagiconline"}


              Session IDSource IPSource PortDestination IPDestination PortProcess
              1192.168.11.2049841168.119.56.74443C:\Users\user\Desktop\pdfmagic.exe
              TimestampkBytes transferredDirectionData
              2023-01-27 22:45:47 UTC0OUTGET /nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_SIGNATURE HTTP/1.1
              Host: start.searchmagiconline.com
              Connection: Keep-Alive
              2023-01-27 22:45:47 UTC0INHTTP/1.1 200 OK
              Access-Control-Allow-Origin: *
              Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
              Content-Type: application/json;charset=ISO-8859-1
              Date: Fri, 27 Jan 2023 22:45:47 GMT
              Server: Nginx
              Content-Length: 56
              Connection: close
              2023-01-27 22:45:47 UTC0INData Raw: 7b 22 47 45 54 5f 53 49 47 4e 41 54 55 52 45 22 3a 22 42 55 5a 5a 5f 49 4e 4e 4f 56 41 54 49 4f 4e 5f 50 44 46 5f 4d 41 47 49 43 5f 53 49 47 4e 41 54 55 52 45 22 7d 0a
              Data Ascii: {"GET_SIGNATURE":"BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE"}


              Session IDSource IPSource PortDestination IPDestination PortProcess
              2192.168.11.2049842168.119.56.74443C:\Users\user\Desktop\pdfmagic.exe
              TimestampkBytes transferredDirectionData
              2023-01-27 22:45:47 UTC1OUTGET /nav?emid=BFEBFBFF000906EDG515600503D05099DB2398&appId=1612258559243754&string_interpolation=GET_OSOU HTTP/1.1
              Host: start.searchmagiconline.com
              2023-01-27 22:45:47 UTC1INHTTP/1.1 200 OK
              Access-Control-Allow-Origin: *
              Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
              Content-Type: application/json;charset=ISO-8859-1
              Date: Fri, 27 Jan 2023 22:45:47 GMT
              Server: Nginx
              Vary: Accept-Encoding
              Content-Length: 187
              Connection: close
              2023-01-27 22:45:47 UTC1INData Raw: 7b 22 47 45 54 5f 4f 53 4f 55 22 3a 22 68 74 74 70 3a 2f 2f 7a 73 72 63 2e 73 65 61 72 63 68 6d 61 67 69 63 6f 6e 6c 69 6e 65 2e 63 6f 6d 3f 33 39 66 38 37 32 32 38 35 38 34 61 39 35 65 31 38 66 31 36 38 31 63 64 66 63 64 31 65 35 30 39 3d 48 31 78 41 58 46 4e 48 58 31 39 5a 56 6c 51 4e 45 51 51 77 42 77 39 63 51 31 70 51 52 6c 31 62 55 31 52 48 56 56 4e 41 58 46 6c 65 56 56 51 4a 44 42 30 4c 55 79 6b 6e 4e 79 34 6e 4e 69 6b 6f 57 31 46 43 56 56 46 43 4b 69 6f 73 56 45 4e 5a 56 30 52 66 57 31 74 53 4e 6c 78 55 52 46 5a 58 4c 79 4e 41 58 31 68 4d 22 7d 0a
              Data Ascii: {"GET_OSOU":"http://zsrc.searchmagiconline.com?39f87228584a95e18f1681cdfcd1e509=H1xAXFNHX19ZVlQNEQQwBw9cQ1pQRl1bU1RHVVNAXFleVVQJDB0LUyknNy4nNikoW1FCVVFCKiosVENZV0RfW1tSNlxURFZXLyNAX1hM"}


              Session IDSource IPSource PortDestination IPDestination PortProcess
              3192.168.11.2049844168.119.56.74443C:\Users\user\Desktop\pdfmagic.exe
              TimestampkBytes transferredDirectionData
              2023-01-27 22:45:50 UTC1OUTGET /time?session_id=f78b3e19-f0e0-4c4e-b8a2-62b76c7417db&app_id=1612258559243754&emid=BFEBFBFF000906EDG515600503D05099DB2398&install_version=1111&identity=searchmagiconline&sig=BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE&download_browser=edge_chrome&os_version=10.0.19041&r=1659400826 HTTP/1.1
              Host: start.searchmagiconline.com
              Connection: Keep-Alive
              2023-01-27 22:45:51 UTC1INHTTP/1.1 200 OK
              Access-Control-Allow-Origin: *
              Access-Control-Expose-Headers: Access-Control-Allow-Origin,Access-Control-Allow-Credentials
              Content-Type: application/json;charset=UTF-8
              Date: Fri, 27 Jan 2023 22:45:51 GMT
              Server: Nginx
              Vary: Accept-Encoding
              Connection: close
              Transfer-Encoding: chunked
              2023-01-27 22:45:51 UTC2INData Raw: 66 65 35 0d 0a 7b 22 73 74 61 74 75 73 22 3a 32 30 30 2c 22 64 61 74 61 22 3a 7b 22 69 6e 73 74 61 6c 6c 65 72 44 61 74 61 22 3a 7b 7d 2c 22 70 61 72 61 6d 73 22 3a 7b 22 69 64 65 6e 74 69 74 79 22 3a 7b 22 64 65 73 63 72 69 70 74 6f 72 22 3a 7b 22 64 69 73 61 62 6c 65 5f 65 78 74 5f 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 6e 75 6c 6c 2f 73 61 61 73 2f 64 69 73 61 62 6c 65 22 2c 22 69 6e 73 74 61 6c 6c 5f 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 6e 75 6c 6c 2f 69 6e 73 74 61 6c 6c 22 2c 22 72 65 70 6f 72 74 5f 67 75 61 72 64 5f 61 63 74 69 76 69 74 79 5f 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 6e 75 6c 6c 2f 63 6f 6d 70 6c 65 74 65 72 2f 67 75 61 72 64 5f 61 63 74 69 76 69 74 79 22 2c 22 62 6c 5f 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 6e 75 6c 6c 2f 62 72 61
              Data Ascii: fe5{"status":200,"data":{"installerData":{},"params":{"identity":{"descriptor":{"disable_ext_url":"http://null/saas/disable","install_url":"http://null/install","report_guard_activity_url":"http://null/completer/guard_activity","bl_url":"http://null/bra
              2023-01-27 22:45:51 UTC3INData Raw: 22 3a 22 68 74 74 70 3a 2f 2f 6e 75 6c 6c 2f 6d 6f 6e 65 74 69 7a 65 22 2c 22 75 70 64 61 74 65 5f 68 5f 75 72 6c 22 3a 22 68 74 74 70 3a 2f 2f 6e 75 6c 6c 2f 61 70 69 2f 68 75 70 64 61 74 65 22 7d 7d 7d 2c 22 61 63 74 69 6f 6e 22 3a 22 63 68 65 63 6b 5f 75 70 64 61 74 65 22 2c 22 69 6e 73 74 61 6c 6c 65 72 43 6f 6e 66 69 67 22 3a 7b 22 61 70 70 22 3a 7b 22 73 69 67 6e 61 74 75 72 65 22 3a 22 42 55 5a 5a 5f 49 4e 4e 4f 56 41 54 49 4f 4e 5f 50 44 46 5f 4d 41 47 49 43 5f 53 49 47 4e 41 54 55 52 45 22 2c 22 69 64 22 3a 22 31 36 31 32 32 35 38 35 35 39 32 34 33 37 35 34 22 2c 22 76 65 72 73 69 6f 6e 22 3a 22 31 31 31 31 22 7d 2c 22 75 72 6c 73 22 3a 7b 22 66 69 72 73 74 54 69 6d 65 22 3a 7b 22 70 61 74 68 22 3a 22 2f 69 6e 73 74 61 6c 6c 2f 66 69 72 73 74 5f
              Data Ascii: ":"http://null/monetize","update_h_url":"http://null/api/hupdate"}}},"action":"check_update","installerConfig":{"app":{"signature":"BUZZ_INNOVATION_PDF_MAGIC_SIGNATURE","id":"1612258559243754","version":"1111"},"urls":{"firstTime":{"path":"/install/first_
              2023-01-27 22:45:51 UTC5INData Raw: 68 61 6e 67 65 20 74 68 69 73 20 66 69 6c 65 20 66 72 6f 6d 20 6f 75 74 73 69 64 65 20 6f 66 20 46 69 72 65 66 6f 78 20 69 73 20 61 20 6d 61 6c 69 63 69 6f 75 73 20 61 63 74 2c 20 61 6e 64 20 77 69 6c 6c 20 62 65 20 72 65 73 70 6f 6e 64 65 64 20 74 6f 20 61 63 63 6f 72 64 69 6e 67 6c 79 2e 22 7d 2c 22 69 65 22 3a 7b 22 73 75 67 67 65 73 74 69 6f 6e 73 22 3a 22 68 74 74 70 73 3a 2f 2f 61 70 69 2e 62 69 6e 67 2e 63 6f 6d 2f 71 73 6d 6c 2e 61 73 70 78 3f 71 75 65 72 79 5c 75 30 30 33 64 7b 73 65 61 72 63 68 54 65 72 6d 73 7d 5c 75 30 30 32 36 6d 61 72 6b 65 74 5c 75 30 30 33 64 7b 6c 61 6e 67 75 61 67 65 7d 5c 75 30 30 32 36 6d 61 78 77 69 64 74 68 5c 75 30 30 33 64 7b 69 65 3a 6d 61 78 57 69 64 74 68 7d 5c 75 30 30 32 36 72 6f 77 68 65 69 67 68 74 5c 75 30
              Data Ascii: hange this file from outside of Firefox is a malicious act, and will be responded to accordingly."},"ie":{"suggestions":"https://api.bing.com/qsml.aspx?query\u003d{searchTerms}\u0026market\u003d{language}\u0026maxwidth\u003d{ie:maxWidth}\u0026rowheight\u0
              2023-01-27 22:45:51 UTC5INData Raw: 61 67 69 63 6f 6e 6c 69 6e 65 2e 63 6f 6d 2f 65 75 6c 61 22 2c 22 64 69 73 63 6c 6f 73 69 6e 67 54 65 78 74 22 3a 5b 22 74 65 78 74 22 2c 22 74 65 78 74 22 5d 2c 22 62 72 61 6e 64 4e 61 6d 65 22 3a 22 73 65 61 72 63 68 6d 61 67 69 63 6f 6e 6c 69 6e 65 22 2c 22 69 6d 61 67 65 73 22 3a 7b 22 62 61 6e 6e 65 72 22 3a 22 2f 61 73 73 65 74 73 2f 31 36 31 32 32 35 38 35 34 32 36 30 38 5f 32 35 36 78 32 35 36 2e 70 6e 67 22 2c 22 6c 6f 67 6f 22 3a 22 2f 61 73 73 65 74 73 2f 31 36 31 32 32 35 38 35 34 32 37 38 37 5f 32 35 36 78 32 35 36 2e 70 6e 67 22 7d 2c 22 61 62 6f 75 74 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77 77 2e 70 64 66 6d 61 67 69 63 6f 6e 6c 69 6e 65 2e 63 6f 6d 22 2c 22 75 6e 69 6e 73 74 61 6c 6c 55 72 6c 22 3a 22 68 74 74 70 73 3a 2f 2f 77 77
              Data Ascii: agiconline.com/eula","disclosingText":["text","text"],"brandName":"searchmagiconline","images":{"banner":"/assets/1612258542608_256x256.png","logo":"/assets/1612258542787_256x256.png"},"aboutUrl":"https://www.pdfmagiconline.com","uninstallUrl":"https://ww


              Click to jump to process

              Click to jump to process

              Click to dive into process behavior distribution

              Click to jump to process

              Target ID:1
              Start time:23:45:42
              Start date:27/01/2023
              Path:C:\Users\user\Desktop\pdfmagic.exe
              Wow64 process (32bit):true
              Commandline:C:\Users\user\Desktop\pdfmagic.exe
              Imagebase:0x900000
              File size:4538104 bytes
              MD5 hash:B7819389909C4D9DAE3C9A6135AB1319
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Reputation:low

              Target ID:3
              Start time:23:45:43
              Start date:27/01/2023
              Path:C:\Windows\System32\conhost.exe
              Wow64 process (32bit):false
              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Imagebase:0x7ff7195e0000
              File size:875008 bytes
              MD5 hash:81CA40085FC75BABD2C91D18AA9FFA68
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Reputation:high

              Reset < >

                Execution Graph

                Execution Coverage:9.5%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:2.4%
                Total number of Nodes:125
                Total number of Limit Nodes:7
                execution_graph 36870 5b8a758 36871 5b8a76c 36870->36871 36872 5b8a775 36871->36872 36874 5b8a9aa 36871->36874 36875 5b8a9b3 36874->36875 36880 5b8ab8c 36874->36880 36885 5b8aba6 36874->36885 36890 5b8aa81 36874->36890 36895 5b8aa90 36874->36895 36875->36872 36881 5b8ab3f 36880->36881 36881->36880 36882 5b8abcb 36881->36882 36900 5b8ae38 36881->36900 36905 5b8ae89 36881->36905 36886 5b8abb9 36885->36886 36887 5b8abcb 36885->36887 36888 5b8ae38 2 API calls 36886->36888 36889 5b8ae89 2 API calls 36886->36889 36888->36887 36889->36887 36891 5b8aad4 36890->36891 36892 5b8abcb 36891->36892 36893 5b8ae38 2 API calls 36891->36893 36894 5b8ae89 2 API calls 36891->36894 36893->36892 36894->36892 36896 5b8aad4 36895->36896 36897 5b8abcb 36896->36897 36898 5b8ae38 2 API calls 36896->36898 36899 5b8ae89 2 API calls 36896->36899 36898->36897 36899->36897 36901 5b8ae56 36900->36901 36904 5b8ae89 2 API calls 36901->36904 36914 5b8ae98 36901->36914 36902 5b8ae66 36902->36882 36904->36902 36906 5b8ae92 36905->36906 36907 5b8ae46 36906->36907 36908 5b8ae66 36906->36908 36909 5b8aebc 36906->36909 36912 5b8ae98 RtlEncodePointer 36907->36912 36913 5b8ae89 RtlEncodePointer 36907->36913 36908->36882 36910 5b8aefc RtlEncodePointer 36909->36910 36911 5b8af25 36909->36911 36910->36911 36911->36882 36912->36908 36913->36908 36915 5b8aed2 36914->36915 36916 5b8aefc RtlEncodePointer 36915->36916 36917 5b8af25 36915->36917 36916->36917 36917->36902 36761 305620f 36762 3056240 36761->36762 36766 3056308 36762->36766 36770 30562f8 36762->36770 36763 305624c 36767 3056328 36766->36767 36774 30556b4 36767->36774 36769 305634b 36769->36763 36771 3056328 36770->36771 36772 30556b4 VirtualProtect 36771->36772 36773 305634b 36772->36773 36773->36763 36775 3056398 VirtualProtect 36774->36775 36777 305642d 36775->36777 36777->36769 36778 30557b8 36779 30557bc 36778->36779 36780 30557d7 36779->36780 36782 3055868 36779->36782 36783 30557f7 36782->36783 36784 3055872 36782->36784 36783->36780 36785 3055ada 36784->36785 36791 3055d77 36784->36791 36796 3055d88 36784->36796 36801 305a6d8 36785->36801 36805 305a6e8 36785->36805 36786 3055bb9 36795 3055d86 36791->36795 36792 3055dbd 36792->36785 36809 3056542 36795->36809 36815 30565a9 36795->36815 36798 3055da9 36796->36798 36797 3055dbd 36797->36785 36799 3056542 2 API calls 36798->36799 36800 30565a9 2 API calls 36798->36800 36799->36797 36800->36797 36802 305a6e5 36801->36802 36840 305a810 36802->36840 36803 305a710 36803->36786 36806 305a6f9 36805->36806 36808 305a810 4 API calls 36806->36808 36807 305a710 36807->36786 36808->36807 36810 30564d9 36809->36810 36811 305654a 36809->36811 36810->36792 36813 30565a9 2 API calls 36811->36813 36826 30565b8 36811->36826 36812 305655f 36812->36792 36813->36812 36816 3056540 36815->36816 36817 30565ae 36815->36817 36818 30564d1 36816->36818 36824 30565a9 2 API calls 36816->36824 36825 30565b8 2 API calls 36816->36825 36823 30569c9 CreateFileA 36817->36823 36818->36792 36819 305655f 36819->36792 36820 30565dd 36821 305572c DeviceIoControl 36820->36821 36822 305683b 36821->36822 36823->36820 36824->36819 36825->36819 36827 30565dd 36826->36827 36831 30569c9 36826->36831 36836 305572c 36827->36836 36833 30569e8 36831->36833 36832 3056a2a 36832->36827 36833->36832 36834 3056b28 CreateFileA 36833->36834 36835 3056b84 36834->36835 36837 3056c20 DeviceIoControl 36836->36837 36839 3056ccb 36837->36839 36841 305a7b5 36840->36841 36842 305a816 36840->36842 36841->36803 36846 305a981 36842->36846 36854 305a9a8 36842->36854 36843 305a86f 36843->36803 36862 305724c 36846->36862 36850 305ac54 GetFileVersionInfoSizeW 36852 305ac82 36850->36852 36851 305a9eb 36851->36850 36853 305aa6e 36851->36853 36852->36843 36853->36843 36855 305a9c7 36854->36855 36856 305724c GetFileVersionInfoSizeW 36854->36856 36857 3057258 GetFileVersionInfoW 36855->36857 36859 305a9eb 36855->36859 36856->36855 36857->36859 36858 305ac54 GetFileVersionInfoSizeW 36860 305ac82 36858->36860 36859->36858 36861 305aa6e 36859->36861 36860->36843 36861->36843 36863 305ac00 GetFileVersionInfoSizeW 36862->36863 36865 305a9c7 36863->36865 36865->36851 36866 3057258 36865->36866 36867 305b0c0 GetFileVersionInfoW 36866->36867 36869 305b167 36867->36869 36869->36851

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 727 305572c-3056cc9 DeviceIoControl 731 3056cd2-3056d0d 727->731 732 3056ccb-3056cd1 727->732 735 3056d17 731->735 736 3056d0f 731->736 732->731 737 3056d18 735->737 736->735 737->737
                APIs
                • DeviceIoControl.KERNEL32(00000000,002D1400,?,?,?,?,?,?), ref: 03056CB9
                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID: ControlDevice
                • String ID:
                • API String ID: 2352790924-0
                • Opcode ID: df8466d8acb0788a1d5d58a661c83c6b2db638d7d20b2151ebec1c459b83324d
                • Instruction ID: 63a538c33c01b14d3e277dee6f52d735642f096e16aa3abf0eb909efb8d63d52
                • Opcode Fuzzy Hash: df8466d8acb0788a1d5d58a661c83c6b2db638d7d20b2151ebec1c459b83324d
                • Instruction Fuzzy Hash: 233103B0901248AFCB10CF9AD984ADEBFF5FF48300F54841AE809A7350D7759945CFA4
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f5345dd4733a651477cfcba937db0dece3a02a98e55b087f55bd3f1431940111
                • Instruction ID: 3e5e89a1338122058a71cba898b86f5cc24fdf657ff4b0bea68e9b3cc8d00848
                • Opcode Fuzzy Hash: f5345dd4733a651477cfcba937db0dece3a02a98e55b087f55bd3f1431940111
                • Instruction Fuzzy Hash: 2132BF74B006158FDB54CFA9D45466EB7F2FF89300B24891AE94AEB351DB39EC41CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 09502e7cbf8254209871e5361e1471b88c8e92301c96320c30c23474950adb73
                • Instruction ID: a19b00a6110d566a4381e8bf3e607dfcc6b9b88d71c82759115d5b3ea3b1d3a0
                • Opcode Fuzzy Hash: 09502e7cbf8254209871e5361e1471b88c8e92301c96320c30c23474950adb73
                • Instruction Fuzzy Hash: 95B15270E01209CFDF50CFA9D8857EEBBF2EF88714F188529E815A7294DB749845CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 30da8f92e44f697877d58bddc9373107c557e869e47585e7dcb3dc1b9c236b08
                • Instruction ID: 14ded14460b8421c419a55e40f53d6fb662ecbf3469f80b35d68f4e47614698b
                • Opcode Fuzzy Hash: 30da8f92e44f697877d58bddc9373107c557e869e47585e7dcb3dc1b9c236b08
                • Instruction Fuzzy Hash: A2B18371F012098FDF51CFA9D8917DEBBF2AF88314F188629E815E7254EB759841CB81
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5228a62e370068ad2a07262cdbdba8ba6b71c9de6b8bffe5cfce6ce34e8b20a2
                • Instruction ID: 2be1b1ba6e3c4e4d1cd9b12b56b2fe3855df385643cbefd90585a412a02b2680
                • Opcode Fuzzy Hash: 5228a62e370068ad2a07262cdbdba8ba6b71c9de6b8bffe5cfce6ce34e8b20a2
                • Instruction Fuzzy Hash: FA819431A10209CFDB04EF68D8446DEFBB5FF89300F458AA9D849A7205DF71AD99CB51
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 468 305a9a8-305a9c0 469 305a9c7-305a9cb 468->469 470 305a9c2 call 305724c 468->470 471 305a9d1-305a9e6 call 3057258 469->471 472 305ab8e-305abb2 469->472 470->469 476 305a9eb-305a9ed 471->476 479 305abb9-305abdd 472->479 478 305a9f3-305aa0b call 3057264 476->478 476->479 484 305aa70-305aa96 478->484 485 305aa0d-305aa12 478->485 496 305abe4-305ac4c 479->496 491 305aa98-305aaa3 484->491 487 305aa14 485->487 488 305aa17-305aa31 485->488 487->488 488->491 495 305aa33-305aa59 488->495 493 305aaa5-305aab9 491->493 494 305aae1-305ab12 491->494 500 305aac2-305aadf 493->500 501 305aabb 493->501 514 305ab14 494->514 515 305ab83-305ab8d 494->515 495->496 505 305aa5f-305aa6c 495->505 510 305ac54-305ac80 GetFileVersionInfoSizeW 496->510 511 305ac4e-305ac51 496->511 500->494 501->500 505->495 508 305aa6e 505->508 508->491 512 305ac82-305ac88 510->512 513 305ac89-305aca6 510->513 511->510 512->513 517 305ab17-305ab30 514->517 520 305ab66-305ab81 517->520 521 305ab32-305ab51 call 3057264 517->521 520->515 520->517 526 305ab60-305ab64 521->526 527 305ab53-305ab5e 521->527 526->520 526->521 527->520
                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID: FileInfoVersion$Size
                • String ID:
                • API String ID: 2104008232-0
                • Opcode ID: 6568856fe7db92cae1356886ff57edda713ff801d8377cde9feae72bb8346591
                • Instruction ID: ab210c1d85a1ecaaeb6f4dbe3e98e798d67449a624f41b716136ab18b71c2d94
                • Opcode Fuzzy Hash: 6568856fe7db92cae1356886ff57edda713ff801d8377cde9feae72bb8346591
                • Instruction Fuzzy Hash: 25917D75F002198BDB15DFA9C9506AFFBF6FF88300F14856AE805AB344DB35AD058BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 628 30569c9-3056a28 call 3055738 634 3056a2f-3056acc 628->634 635 3056a2a-3056a2e 628->635 641 3056b05-3056b82 CreateFileA 634->641 642 3056ace-3056ad8 634->642 651 3056b84-3056b8a 641->651 652 3056b8b-3056bc9 641->652 642->641 643 3056ada-3056adc 642->643 644 3056aff-3056b02 643->644 645 3056ade-3056ae8 643->645 644->641 647 3056aec-3056afb 645->647 648 3056aea 645->648 647->647 649 3056afd 647->649 648->647 649->644 651->652 656 3056bd9 652->656 657 3056bcb-3056bcf 652->657 659 3056bda 656->659 657->656 658 3056bd1-3056bd4 call 3050c3c 657->658 658->656 659->659
                APIs
                • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 03056B72
                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 86f2314ffb1c51b5e607943eb8d63fe7293f533f64c109b8796c80158db531f2
                • Instruction ID: 868e60b0fd842ce430c74cb1bbadebd9a9871a45f22b5f0f811cb699aacf5bb0
                • Opcode Fuzzy Hash: 86f2314ffb1c51b5e607943eb8d63fe7293f533f64c109b8796c80158db531f2
                • Instruction Fuzzy Hash: C751AA71E013589FEB10CFA9C854B9EBBF6EF49300F15816AE809EB291C7758841CB91
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 661 3056a68-3056acc 663 3056b05-3056b82 CreateFileA 661->663 664 3056ace-3056ad8 661->664 673 3056b84-3056b8a 663->673 674 3056b8b-3056bc9 663->674 664->663 665 3056ada-3056adc 664->665 666 3056aff-3056b02 665->666 667 3056ade-3056ae8 665->667 666->663 669 3056aec-3056afb 667->669 670 3056aea 667->670 669->669 671 3056afd 669->671 670->669 671->666 673->674 678 3056bd9 674->678 679 3056bcb-3056bcf 674->679 681 3056bda 678->681 679->678 680 3056bd1-3056bd4 call 3050c3c 679->680 680->678 681->681
                APIs
                • CreateFileA.KERNEL32(?,?,?,?,?,00000001,00000004), ref: 03056B72
                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID: CreateFile
                • String ID:
                • API String ID: 823142352-0
                • Opcode ID: 89795105194374a4a86c76de47edc515ea55e7e7900ac520fcfbbffc2937ff9a
                • Instruction ID: cc98aedce8caa64c000a0b6f0b83751302a42d8b7f2d7d88108a984f49503228
                • Opcode Fuzzy Hash: 89795105194374a4a86c76de47edc515ea55e7e7900ac520fcfbbffc2937ff9a
                • Instruction Fuzzy Hash: 68411471D012589FEB10CFA9C944B9EBBF5FB48300F24852AE819AB251D7769884CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 683 3056c14-3056c18 684 3056bae-3056bc9 683->684 685 3056c1a-3056c7a 683->685 688 3056bd9 684->688 689 3056bcb-3056bcf 684->689 690 3056c82-3056cc9 DeviceIoControl 685->690 692 3056bda 688->692 689->688 691 3056bd1-3056bd4 call 3050c3c 689->691 693 3056cd2-3056d0d 690->693 694 3056ccb-3056cd1 690->694 691->688 692->692 698 3056d17 693->698 699 3056d0f 693->699 694->693 700 3056d18 698->700 699->698 700->700
                APIs
                • DeviceIoControl.KERNEL32(00000000,002D1400,?,?,?,?,?,?), ref: 03056CB9
                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID: ControlDevice
                • String ID:
                • API String ID: 2352790924-0
                • Opcode ID: d79445f1219c046f3c92f91135bca4c32d3dface0fa3769e9eb7ed147e240112
                • Instruction ID: 9a533245926a350050d618462f63f669fa1b1a15c23ffcaec1ba9e5448694e95
                • Opcode Fuzzy Hash: d79445f1219c046f3c92f91135bca4c32d3dface0fa3769e9eb7ed147e240112
                • Instruction Fuzzy Hash: F63122B090125CEFDB64CF99D984BDEBFF1EF48300F64941AE809AB250C7759985CB64
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 701 5b8ae89-5b8ae90 702 5b8aeae 701->702 703 5b8ae92-5b8aea8 701->703 704 5b8aeaf-5b8aebb 702->704 705 5b8ae77-5b8ae85 702->705 703->702 706 5b8aebc-5b8aec9 704->706 707 5b8ae46-5b8ae56 call 5b8aa58 704->707 708 5b8aed2-5b8aeda 706->708 724 5b8aecc call 5b8af70 706->724 725 5b8ae60 call 5b8ae98 707->725 726 5b8ae60 call 5b8ae89 707->726 713 5b8aedc-5b8aede 708->713 714 5b8aee0 708->714 712 5b8ae66-5b8ae73 call 5b8aca8 712->705 716 5b8aee5-5b8aef0 713->716 714->716 718 5b8af51-5b8af5e 716->718 719 5b8aef2-5b8af23 RtlEncodePointer 716->719 721 5b8af2c-5b8af4c 719->721 722 5b8af25-5b8af2b 719->722 721->718 722->721 724->708 725->712 726->712
                APIs
                • RtlEncodePointer.NTDLL(00000000), ref: 05B8AF12
                Memory Dump Source
                • Source File: 00000001.00000002.104945530752.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5b80000_pdfmagic.jbxd
                Similarity
                • API ID: EncodePointer
                • String ID:
                • API String ID: 2118026453-0
                • Opcode ID: 385a595ac9e5cb3db3e7269a9f295e3850371919dad787211ab1a5eac0afe697
                • Instruction ID: 712f9d0a49821c0dd9ad302d1e7c4b87fb81d56722281fdafffbfab336c4fd4d
                • Opcode Fuzzy Hash: 385a595ac9e5cb3db3e7269a9f295e3850371919dad787211ab1a5eac0afe697
                • Instruction Fuzzy Hash: 5331DCB1900348CFDB20EFA5D5083BABBF8FB05315F24949AE049A7680DB39A504CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 738 3057258-305b112 741 305b114-305b11a 738->741 742 305b11d-305b123 738->742 741->742 743 305b125-305b131 742->743 744 305b133-305b165 GetFileVersionInfoW 742->744 743->744 745 305b167-305b16d 744->745 746 305b16e-305b196 744->746 745->746
                APIs
                • GetFileVersionInfoW.KERNELBASE(?,00000000,?,00000000), ref: 0305B158
                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID: FileInfoVersion
                • String ID:
                • API String ID: 2427832333-0
                • Opcode ID: 9e757d63c10d7e2c0858e43f8d90fc41a1eefb3a0b8af8260297bf48cade3c66
                • Instruction ID: 1078149d352c714ad0c2acb4d8a1727ae3af5b1597f921184fa163d9af2dabfa
                • Opcode Fuzzy Hash: 9e757d63c10d7e2c0858e43f8d90fc41a1eefb3a0b8af8260297bf48cade3c66
                • Instruction Fuzzy Hash: D83103B1D01619AFCB54CF99D9847EEFBF4FF48310F14852AE819A7240D374AA44CBA8
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 749 305b0ba-305b112 752 305b114-305b11a 749->752 753 305b11d-305b123 749->753 752->753 754 305b125-305b131 753->754 755 305b133-305b165 GetFileVersionInfoW 753->755 754->755 756 305b167-305b16d 755->756 757 305b16e-305b196 755->757 756->757
                APIs
                • GetFileVersionInfoW.KERNELBASE(?,00000000,?,00000000), ref: 0305B158
                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID: FileInfoVersion
                • String ID:
                • API String ID: 2427832333-0
                • Opcode ID: 2e2904457455aefefc5912962c3df44ab5df47941c459e925796c62316d8657c
                • Instruction ID: 8caa183484b716ab7a9a07da177c08a89c5130b84d5d22c3a549249d9199d9b3
                • Opcode Fuzzy Hash: 2e2904457455aefefc5912962c3df44ab5df47941c459e925796c62316d8657c
                • Instruction Fuzzy Hash: B72166B2D01219AFDB40CF98D9407DEFBF0FF48310F24815AE858A7250C738AA45CBA8
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 760 30556b4-30563e7 763 30563f3-305642b VirtualProtect 760->763 764 30563e9-30563f1 760->764 765 3056434-305645c 763->765 766 305642d-3056433 763->766 764->763 766->765
                APIs
                • VirtualProtect.KERNEL32(00000000,?,00000040,?), ref: 0305641E
                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: 78083d599cf99f0665dc153bd36287dc76078b94cb5f86e7c368ae88d580314a
                • Instruction ID: 80029e1347f3562a252e994bb16d78802358ffdc1929b1ea7ae2acabefcafba3
                • Opcode Fuzzy Hash: 78083d599cf99f0665dc153bd36287dc76078b94cb5f86e7c368ae88d580314a
                • Instruction Fuzzy Hash: 8B212371D01219AFCB10CF99D880BEEFBF4FB48310F50852AE918A7340D379A9448BE4
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 769 3056390-30563e7 771 30563f3-305642b VirtualProtect 769->771 772 30563e9-30563f1 769->772 773 3056434-305645c 771->773 774 305642d-3056433 771->774 772->771 774->773
                APIs
                • VirtualProtect.KERNEL32(00000000,?,00000040,?), ref: 0305641E
                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID: ProtectVirtual
                • String ID:
                • API String ID: 544645111-0
                • Opcode ID: e4cc589d74775b51e5bf2ce8a17b3c49cf7c32dd4af8f9f553e45990bda9aa23
                • Instruction ID: 1c95be538221055fe898b2d0477f0bcfd35283233ae0b3ac7f84e2040c82605e
                • Opcode Fuzzy Hash: e4cc589d74775b51e5bf2ce8a17b3c49cf7c32dd4af8f9f553e45990bda9aa23
                • Instruction Fuzzy Hash: A22103B5D012199FDB40CF99D880BDEFBF4FB48310F54852AE858A7340D379A9448FA4
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 777 305724c-305ac4c 780 305ac54-305ac80 GetFileVersionInfoSizeW 777->780 781 305ac4e-305ac51 777->781 782 305ac82-305ac88 780->782 783 305ac89-305aca6 780->783 781->780 782->783
                APIs
                • GetFileVersionInfoSizeW.KERNELBASE(00000000,00000000), ref: 0305AC73
                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID: FileInfoSizeVersion
                • String ID:
                • API String ID: 1661704012-0
                • Opcode ID: e362556108b219b2cac852224bb424ae2babd478ee3b671d3e17a6dfa39b3779
                • Instruction ID: 7c1ea2183b4623e7c5451026b7dfd3ac50920feb115afc8aafb22993b286b73d
                • Opcode Fuzzy Hash: e362556108b219b2cac852224bb424ae2babd478ee3b671d3e17a6dfa39b3779
                • Instruction Fuzzy Hash: 722124B1D002599FCB14CF9AD98479EFBF4FB48210F14862AE819A7200C774A904CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 786 5b8ae98-5b8aecc call 5b8af70 787 5b8aed2-5b8aeda 786->787 789 5b8aedc-5b8aede 787->789 790 5b8aee0 787->790 791 5b8aee5-5b8aef0 789->791 790->791 792 5b8af51-5b8af5e 791->792 793 5b8aef2-5b8af23 RtlEncodePointer 791->793 795 5b8af2c-5b8af4c 793->795 796 5b8af25-5b8af2b 793->796 795->792 796->795
                APIs
                • RtlEncodePointer.NTDLL(00000000), ref: 05B8AF12
                Memory Dump Source
                • Source File: 00000001.00000002.104945530752.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5b80000_pdfmagic.jbxd
                Similarity
                • API ID: EncodePointer
                • String ID:
                • API String ID: 2118026453-0
                • Opcode ID: 089c734244cf99988b130b65e4c432ec1ac5e5ca565d1ac38814e3289cbbc48e
                • Instruction ID: 558123ab6bbcc366b0f5612b5263375e7ce3745b39a59a9962b5b52bedb297fb
                • Opcode Fuzzy Hash: 089c734244cf99988b130b65e4c432ec1ac5e5ca565d1ac38814e3289cbbc48e
                • Instruction Fuzzy Hash: B21181B19003098FDB60EFA9D5087AEBFF9FB44315F20846AE409A3680D739A544CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.104949857194.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5fd0000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID: piNt
                • API String ID: 0-888100993
                • Opcode ID: 93e28530f76224bf0a20f96bf9ee952d04f608e5a5d14418c9b86c8505603759
                • Instruction ID: 020e7601b492bf047017144ab244087f19315631f44330f39177432f9a6a94ae
                • Opcode Fuzzy Hash: 93e28530f76224bf0a20f96bf9ee952d04f608e5a5d14418c9b86c8505603759
                • Instruction Fuzzy Hash: 61314D35B00100AFDB19DB79C95496EB7EBEF8D210B15806DEA06DB3A1DA35EC01CBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.104949857194.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5fd0000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID: piNt
                • API String ID: 0-888100993
                • Opcode ID: 48ca524c64a0d1c5379f26890ba98efa1f2c63b6e2a6a085c679d32a3c869004
                • Instruction ID: 4cd07b8c1dc9c14c1e2e4b340da417c7f1e4b3de042a2d0056902bae5eaced54
                • Opcode Fuzzy Hash: 48ca524c64a0d1c5379f26890ba98efa1f2c63b6e2a6a085c679d32a3c869004
                • Instruction Fuzzy Hash: 73314D75B001009FDB19DF79C95496EBBEAEF8D310B158069EA06DB3A1DA35EC018BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104949857194.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5fd0000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0328b13767b3e8513a27f5c916d408e4c88d3e73eb64963181b130346ec913e1
                • Instruction ID: bcca2a73719235708b39faf2251c2b94fe0fb0ad40e9432b6727d062464147eb
                • Opcode Fuzzy Hash: 0328b13767b3e8513a27f5c916d408e4c88d3e73eb64963181b130346ec913e1
                • Instruction Fuzzy Hash: F2D12A35A0511ADFDB14CF54C988AAEF7BBFF49301F298155E8116B260EB39AD41CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b2f86198dca58660841447ff78555aabda869ff32a0128780dae05520f84a51c
                • Instruction ID: 8216712192490b9516b38d51a9bf5810d91718af4ef51cfbd2afc523db5e0763
                • Opcode Fuzzy Hash: b2f86198dca58660841447ff78555aabda869ff32a0128780dae05520f84a51c
                • Instruction Fuzzy Hash: D0515631B042148FDB49DF79DC44A6EBBB6FFC520071884AAE405CB2A6DA30DC05CBA5
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0239f2a95e70f37dfd635ef41e09ea36117b83899cba687edfcf4e9db7654e54
                • Instruction ID: 6565969918a41a2602c1b8cdfed86c70bc2e72e2ae193e96bbb2dd8befbd814f
                • Opcode Fuzzy Hash: 0239f2a95e70f37dfd635ef41e09ea36117b83899cba687edfcf4e9db7654e54
                • Instruction Fuzzy Hash: 1B51AE71B047469FDB24CFAAD884A6BB7F6FF88214B14882AE546C7744D770F805CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 305f415b378f4a04ebad97ad88f8aed43cba82927d9602337fe936cb99588912
                • Instruction ID: 403829326c54a527e20d36a7256f42791dad3eb9645c85248772299f2df84a4d
                • Opcode Fuzzy Hash: 305f415b378f4a04ebad97ad88f8aed43cba82927d9602337fe936cb99588912
                • Instruction Fuzzy Hash: 9E613F71A00106DFDF44DF54D884AAAB7BAFF88300F54866AE905DB255D735E885CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ec9f783add712a7e2ac194e8163bce231a69b9ee5d2cdc9f2d92bb0c890f362e
                • Instruction ID: d7c524c2e2c310245e45282fafd4cb6db359f0f61b34a586bd6ba050deff9439
                • Opcode Fuzzy Hash: ec9f783add712a7e2ac194e8163bce231a69b9ee5d2cdc9f2d92bb0c890f362e
                • Instruction Fuzzy Hash: 1A51F974B002159FDB54DB68D4529BEBBB6FFC9310B14842AD9469B380DB34AC46CBE0
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8fdfcbe83a07e7b25dcdc3d9646f1f01f259d71a9e16c7c1a2f219e8018d208b
                • Instruction ID: 61bf67a38ca1af367398e6105559d224e82b84bd346172dda1dd3875e70c703a
                • Opcode Fuzzy Hash: 8fdfcbe83a07e7b25dcdc3d9646f1f01f259d71a9e16c7c1a2f219e8018d208b
                • Instruction Fuzzy Hash: D2510430B002058FDB54DF68D899AAEBBB2FF85310F14856AE405EB3A1DB749D45CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c6d343b0dc822d4513591b6c3e6672294d13535750fd7d99ddf00d202dddc535
                • Instruction ID: 1138fb39a63857696de326c8e2a21a2be37b8c8f28b812a9518773d963a7d5a1
                • Opcode Fuzzy Hash: c6d343b0dc822d4513591b6c3e6672294d13535750fd7d99ddf00d202dddc535
                • Instruction Fuzzy Hash: D8416E347502548FDB44DF69E858A6E7BF6FF89710B100469E60ACB361DB75DC05CB90
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ecb4ce125c1aa2cc6dea4371a77eca2ad44e6dce33eba85d77e97e4c7bbcd5c8
                • Instruction ID: f9c9a644680f4fbee1b9909c3be3ddc832404910bc257f72790d1984c4b8f013
                • Opcode Fuzzy Hash: ecb4ce125c1aa2cc6dea4371a77eca2ad44e6dce33eba85d77e97e4c7bbcd5c8
                • Instruction Fuzzy Hash: 33319C30B002158FDF54DFA8D85A9AEB7B5FF89310B1044AAE6169B361DB71AD01CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 29f40999f1613bb1921b474bfceecb95775720c15dfdf89647a251266f89f3b7
                • Instruction ID: fc58b2de3387fd502929ca35d622c8e83f2dc114c11c81f9de057bbb4786f958
                • Opcode Fuzzy Hash: 29f40999f1613bb1921b474bfceecb95775720c15dfdf89647a251266f89f3b7
                • Instruction Fuzzy Hash: 363190306447528FEF758B28D48577AB7F1FB45305F148C1AD887C6B92C7B8E8828BA4
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9152c18a9b42602d1b0ece21826b59272aebf4aef847e685d431ce7173450eb0
                • Instruction ID: 626c8a5f5025dff83d0efed4064a1bde93d3a8101aa9c0636bf97936cd63347a
                • Opcode Fuzzy Hash: 9152c18a9b42602d1b0ece21826b59272aebf4aef847e685d431ce7173450eb0
                • Instruction Fuzzy Hash: 47414D30A00206CFDB94DF68D899AAEB7B2FF85310F148959E4069B3A5DB74DD45CFA0
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7e90a83ee6a7c66b3a023a0d96b3e588fb0947f692ef970c3bd99501e35987f6
                • Instruction ID: 8765fffd7c633bb7441b36c8bd4d18579b14ab45d98afdc06ea2a44dbf2820c2
                • Opcode Fuzzy Hash: 7e90a83ee6a7c66b3a023a0d96b3e588fb0947f692ef970c3bd99501e35987f6
                • Instruction Fuzzy Hash: 07319E31A00105DFDF44CF94E880BA9B7BAFF88310F148566E905DB241DB31EC85CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926309363.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_17ad000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: ea06f225c3b0f4426386d67eddd8686adbd6054af185f0a279a77d3dc49c6d87
                • Instruction ID: 9e3cc262935efd2a579baaf7a411092ab4a00efb8acd8b8cfbba18741c40221f
                • Opcode Fuzzy Hash: ea06f225c3b0f4426386d67eddd8686adbd6054af185f0a279a77d3dc49c6d87
                • Instruction Fuzzy Hash: D031E172108640EFDF068F54D9C0F16BF76FB88314F648699EE090A2A6C736D862CB61
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926309363.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_17ad000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 693da27a292de99d6e776a51f795ee1acf2a6b2a065097979a18aa4deb7382ce
                • Instruction ID: a15ab39ceefcbd012cdbcd62b7faad72df89da18023317769282807688169137
                • Opcode Fuzzy Hash: 693da27a292de99d6e776a51f795ee1acf2a6b2a065097979a18aa4deb7382ce
                • Instruction Fuzzy Hash: A031D272104240EFDF169F58D9C0F16BF76FB88310F648699ED090A25AC736D491DBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926309363.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_17ad000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b77e611c14e787b3002d91b42916613095123482c2dfa4bef263e63f290bd0e1
                • Instruction ID: 863c5615504580413f8f219c7b3899e7fe926e1860112c65d9d26e2ab67918a9
                • Opcode Fuzzy Hash: b77e611c14e787b3002d91b42916613095123482c2dfa4bef263e63f290bd0e1
                • Instruction Fuzzy Hash: 9C21B1B2504240EFDF068F54D9C0F16FFA6FBC8314F648699E9490A256C736D456CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926081727.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_179d000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 72f1df69d084662ed24fb151ece04f744942c595874f9dddcef727be2249c8cc
                • Instruction ID: b2f78ca28dafa03ea5b14f36b975818f57ffee1b44c8d1995aaecff48631cc4d
                • Opcode Fuzzy Hash: 72f1df69d084662ed24fb151ece04f744942c595874f9dddcef727be2249c8cc
                • Instruction Fuzzy Hash: C5212BB2144340DFDF25DF98E9C4B16FBB5FB88314F248699E9490B256C33AD41ACB61
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 90a55a193dc3edfb5a0916642f132de42158b094d93ce18b01a310f3100dd0ad
                • Instruction ID: 29971ff65eb1e763e35ac8b68d5b516950ef5e6a15fe1d8a4d78c216c8943135
                • Opcode Fuzzy Hash: 90a55a193dc3edfb5a0916642f132de42158b094d93ce18b01a310f3100dd0ad
                • Instruction Fuzzy Hash: F321A135B001499FCB58DF65E959AAE77FAEF88310F108029E806E7255CF758D01CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926081727.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_179d000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a760f8044838715a102d6361d58af73005534915b6826244bc0a4762e3bbe94b
                • Instruction ID: bbc74db674629786ed04458c673afae10e2a3312d4fed8f289ba632d50cd13b0
                • Opcode Fuzzy Hash: a760f8044838715a102d6361d58af73005534915b6826244bc0a4762e3bbe94b
                • Instruction Fuzzy Hash: B02103B1104300EFEF25DF94E9C0B16FB65FB88354F2486A9E9090B246C336D44ACBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926309363.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_17ad000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9ab1e35491e688bc944c32665065fbbf5631d1b8caef9a61ea18975ef48b1ee5
                • Instruction ID: 820c68206e4f791df924ef274282980c629c0a15fe69dbab88324a2eeb0bb24a
                • Opcode Fuzzy Hash: 9ab1e35491e688bc944c32665065fbbf5631d1b8caef9a61ea18975ef48b1ee5
                • Instruction Fuzzy Hash: 1C212975204340DFDB25CF94E9C4B56FB65FBC4314F64C6A9DC490BA46C33AE446C661
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926309363.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_17ad000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 699ce48fd771adb635587b0d8f4e6dc46e784ad6ea43442c1fd41100cbe241b3
                • Instruction ID: 68b0a40b157b39c1f3ae48d6363f9b81e44a19525ac7500f9deff2d0a6a5b0eb
                • Opcode Fuzzy Hash: 699ce48fd771adb635587b0d8f4e6dc46e784ad6ea43442c1fd41100cbe241b3
                • Instruction Fuzzy Hash: 26210075284300DFEB25CF64E9C4B17FBA1EBC8314F60C6A9E8494B646C33AD806CA61
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926309363.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_17ad000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 848da99c248e83bb7ffbb4cc673592dc8fd7fed3d89fcd760034d235a9ecdc4a
                • Instruction ID: 14741dbc4404313214ac3d818f714e84d2aa4354b7b5e77ff0cb227bcffbd216
                • Opcode Fuzzy Hash: 848da99c248e83bb7ffbb4cc673592dc8fd7fed3d89fcd760034d235a9ecdc4a
                • Instruction Fuzzy Hash: E621AF72500240EFCF528F58D9C0B55BF72FB88310F248299ED490A66AC336D4A6DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926309363.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_17ad000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 858c5a7bcf298e8f1e18dc7e6bd2f2650ece0fd2ba472a33a92b13b2ec82bf97
                • Instruction ID: 08cdbe3c9d1c85238d6b3172c929dd2079683b567bb3d97f8a3abb08692d7491
                • Opcode Fuzzy Hash: 858c5a7bcf298e8f1e18dc7e6bd2f2650ece0fd2ba472a33a92b13b2ec82bf97
                • Instruction Fuzzy Hash: 26219A76504640EFCF06CF94C9C0B15BF62FB88314F2486A9EE490A26AC337D466DB51
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926309363.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_17ad000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 86ee3a6782ad0df8346279b65a575d70655afbc93dc36172a5dbf6b4edb8c1d7
                • Instruction ID: b13de43276c05c95b12b092667d7266ab824b87c726e5439dad6e878110d4ed9
                • Opcode Fuzzy Hash: 86ee3a6782ad0df8346279b65a575d70655afbc93dc36172a5dbf6b4edb8c1d7
                • Instruction Fuzzy Hash: BC218B72504240DFCF128F54DAC0B56BF72FB88314F2486AAED480A65AC33AD466DB91
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7ae23b04f3e130aa964523b67a288f63c60cdca9d7172cd019ca687daca10d3c
                • Instruction ID: b3a6d6411a826191fd363d5589a076544f16e91ea6c022c00a48209c5470a57e
                • Opcode Fuzzy Hash: 7ae23b04f3e130aa964523b67a288f63c60cdca9d7172cd019ca687daca10d3c
                • Instruction Fuzzy Hash: E9113330618224CFFB989F75E41936E76BABB88711F10491ED08787781CBB999458BE1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926081727.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_179d000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d5c638fbd3b1e2730def13474729342afa184ae50cf0dcb015ae4631a7cb2106
                • Instruction ID: 8d8c45180aa2748d7e8e8cb51517275a2db67b207f7cd632f08b46d98b0f67f8
                • Opcode Fuzzy Hash: d5c638fbd3b1e2730def13474729342afa184ae50cf0dcb015ae4631a7cb2106
                • Instruction Fuzzy Hash: 6221AFB6504280DFDF16CF54E9C4B16FF72FB88314F2486A9D9480B656C33AD42ACB91
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926081727.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_179d000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 19435228be7a2fb689dc04558c4354a05b9acbf2cbd7c3b04768a07f26fa735e
                • Instruction ID: 4e19503b7e3edeae57f61bb4c9f32088951797fb1a62eb94641b6c5dda16d896
                • Opcode Fuzzy Hash: 19435228be7a2fb689dc04558c4354a05b9acbf2cbd7c3b04768a07f26fa735e
                • Instruction Fuzzy Hash: AD119A76504280CFDF22CF54E9C4B16FF62FB84324F2486A9D8490B656C33AD45ACBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d646d809d031399869bbd8340058dc81e7cf2319cafb7773f63b65f1d21147d9
                • Instruction ID: 8b8e01c345dfbd927e503be0deda2901459338f9a22ae1d91060f34f28b0c33f
                • Opcode Fuzzy Hash: d646d809d031399869bbd8340058dc81e7cf2319cafb7773f63b65f1d21147d9
                • Instruction Fuzzy Hash: E311C071A10316DFDF50DF79C9868AABBB4FF89310B10456AEA05D7321EB71A901CFA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104949857194.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5fd0000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9008895d2bfb83b1499727a3c072b4028eb91b1ac4e74f12a6d68c8c15700b5d
                • Instruction ID: 9a6ca0faea326df1103f1f60b84bd3297a3711d168297263df07adad916ce43a
                • Opcode Fuzzy Hash: 9008895d2bfb83b1499727a3c072b4028eb91b1ac4e74f12a6d68c8c15700b5d
                • Instruction Fuzzy Hash: FC113C75B105149FC718DB68E988C2EBBE6FF88615316496AF106CB3A1CF36DC41CB60
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104949857194.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5fd0000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5848fa050f739d8000c8163890bcf8b83acc1a8271004c0769628695c83fd968
                • Instruction ID: aef5e538c6bd9ddec91a8843586bd4e1da9c62e863995cd943d71c4181277ffe
                • Opcode Fuzzy Hash: 5848fa050f739d8000c8163890bcf8b83acc1a8271004c0769628695c83fd968
                • Instruction Fuzzy Hash: 23012D357105249FC714DF68E888C2EBBE6FB896153154569F006C7360CF36EC41CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926309363.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_17ad000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f9e1d9f25c75ec4df12ff116705d6718030cdcfa0dff358393fc15032710b94f
                • Instruction ID: 5478f22fba62c0b386cb542a4f78bfa97ee6f0053ac741e2a43f35e685adf246
                • Opcode Fuzzy Hash: f9e1d9f25c75ec4df12ff116705d6718030cdcfa0dff358393fc15032710b94f
                • Instruction Fuzzy Hash: DA119D76504280DFDB22CF54D5C4B55FB71FB84324F24C6AADC494BA46C33AE40ACBA2
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926309363.00000000017AD000.00000040.00000800.00020000.00000000.sdmp, Offset: 017AD000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_17ad000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8034dd182e662bc81258a2649f9eaa2964704bdc5cbe939e3cc257ae97a318f8
                • Instruction ID: 2d9d5ca4a01fb35bd87eada860d7b1e241529fb37ebe80478797106aa92c4d6d
                • Opcode Fuzzy Hash: 8034dd182e662bc81258a2649f9eaa2964704bdc5cbe939e3cc257ae97a318f8
                • Instruction Fuzzy Hash: 3411BE75544280CFDB22CF54D5C4B16FB61FB88314F24C6AAD8494BA56C33AD40ACB61
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c068f62514981703e823f27a5f89ba5ea50c5e487fe051831214781afdf326dc
                • Instruction ID: 8c47c941d2486aa5bdff4fd4518da300f72b6b3b992c1fa7d9e20efd10aed81a
                • Opcode Fuzzy Hash: c068f62514981703e823f27a5f89ba5ea50c5e487fe051831214781afdf326dc
                • Instruction Fuzzy Hash: 50F062737001245B5B649B5EB48896EF7A9FBD96B5308813BE609C7300DB318C51D7A5
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926081727.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_179d000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d4183861d12b9904d1613c6a42e4768d93bbda0dc80fdedab90a2415060debf9
                • Instruction ID: 6cf225eb9ba5d5fd4e89023572efaf4eaca03bf073054252b117d14bfdd66df2
                • Opcode Fuzzy Hash: d4183861d12b9904d1613c6a42e4768d93bbda0dc80fdedab90a2415060debf9
                • Instruction Fuzzy Hash: A601A771509340AFEB344A99ECC4766FFA8EF41264F18C05AED494B282C27D9E48C6B5
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104949857194.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5fd0000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 5a91977ec1f85b3f0587d67548a85d8186dc0b7d6580643da3b82be4da0daacb
                • Instruction ID: 4de5b6a43a38d68e2e832db2a4621bf45c924b72d61593759d4dd3a93a0569b7
                • Opcode Fuzzy Hash: 5a91977ec1f85b3f0587d67548a85d8186dc0b7d6580643da3b82be4da0daacb
                • Instruction Fuzzy Hash: 52F068323007045BD714A76EF8955ABF7E7EBC4651740893ED00E8B740DE74AC0A87E5
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926081727.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_179d000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1866478c59dd70500b6f6e262bdeeaec11adba9f0efd28815979af28368d7795
                • Instruction ID: 81fa717832b1ba82768071212442edbc72313193422cc2526389b6fb8e00af3f
                • Opcode Fuzzy Hash: 1866478c59dd70500b6f6e262bdeeaec11adba9f0efd28815979af28368d7795
                • Instruction Fuzzy Hash: 49F0F9B6240600AF97248F0AD884C23FBADEBD4770715C59AE84A4B612C771FC42CEA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926081727.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_179d000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c595396462de2bc8c890c663375532d1670df11f272566f1bb92a277e62b04ec
                • Instruction ID: 5f9cd38f2c6663591d53d0ddaefe53d6695197283ede445aa3be4db9d04d53e3
                • Opcode Fuzzy Hash: c595396462de2bc8c890c663375532d1670df11f272566f1bb92a277e62b04ec
                • Instruction Fuzzy Hash: A8F06271409340AEEB208E19ECC4B62FFA8EF41624F18C55AED584B286C3799948CAB1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104949857194.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5fd0000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e1f94bc7ee751c9593294d5edeb3e718b2a20a282bc7d57a8a58af733886c51e
                • Instruction ID: 77f5d58ad2f441cedcbf8089d5433d67207edecb99e4740494a3643115ff5c41
                • Opcode Fuzzy Hash: e1f94bc7ee751c9593294d5edeb3e718b2a20a282bc7d57a8a58af733886c51e
                • Instruction Fuzzy Hash: AAF01D322007045B9754A76EE8959ABB7E6EBC4660740893ED01E8B650EE64AC0987E9
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104926081727.000000000179D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0179D000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_179d000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: f17b3fc04c9719072c6f3c526931bad522cedb89ad7d683ca734c1222a5f5a05
                • Instruction ID: 37f1363f461e1fe665ae0c2cdadd5a08148955cdeec150dda407367ec98a41ee
                • Opcode Fuzzy Hash: f17b3fc04c9719072c6f3c526931bad522cedb89ad7d683ca734c1222a5f5a05
                • Instruction Fuzzy Hash: D4F0E775104A80AFD725CF06C888C23BBB9EB8562071A859EE85A5B252C731FC01CBA1
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d7252337b4fee93bd9824f0da1e590aa5c07171e4c01d078f460c420bb68ad08
                • Instruction ID: 30123d2317ea5d6072dd1fe6d7e3d74cbcf299fb88a4631b7347259796f853bc
                • Opcode Fuzzy Hash: d7252337b4fee93bd9824f0da1e590aa5c07171e4c01d078f460c420bb68ad08
                • Instruction Fuzzy Hash: F3E06D337141145F8B549A9FB8C5CAABBADFBD92323558037F208C7220CA21D8058770
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104949857194.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5fd0000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 8d0ba4e5800284bc7d39dfadea8654fad13eabd6a9b5f68e105a2a0ed58d0208
                • Instruction ID: 1738ccc25e5ee0c3fb9f52966315f26392e6c900c293226660ffaa5cf8031edc
                • Opcode Fuzzy Hash: 8d0ba4e5800284bc7d39dfadea8654fad13eabd6a9b5f68e105a2a0ed58d0208
                • Instruction Fuzzy Hash: F8F0393670400CEFCB18DE05E884DAAB773BB86390F2480A5E90A8F215C739D984CBA0
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 52226804f17e38b40f4988d19c7ea7347b29bb6366ae8d42a030d46450602866
                • Instruction ID: 0ffd28c414323c78c146c84a9e615aa4e080b4353f0767320ed35cb59832a855
                • Opcode Fuzzy Hash: 52226804f17e38b40f4988d19c7ea7347b29bb6366ae8d42a030d46450602866
                • Instruction Fuzzy Hash: 7FD012353001146FCB18566AE85DD5A7BE9DBC9B31B01406AF505C7350DE61DC018790
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b57d2b2d542fc75a9bbfcc55545653b04f08cc773ef2561407e36aa4c1c9cb8e
                • Instruction ID: b3b257a52999994380859bc9e8c1a358fd31322ce6977c9b027576a437c3fb60
                • Opcode Fuzzy Hash: b57d2b2d542fc75a9bbfcc55545653b04f08cc773ef2561407e36aa4c1c9cb8e
                • Instruction Fuzzy Hash: 04D0A977B800039FC6109AA9EC8489AF3A8FF84219B144062E500C3625CA20C8118720
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104949857194.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5fd0000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 124159c5f83a6aac747b1442a39ebfb80500123942c33826620dcb8013807411
                • Instruction ID: a42314d4c967aab40bc6cbd730521854ebd1c916a8c8a2d9ddbd76465edee91c
                • Opcode Fuzzy Hash: 124159c5f83a6aac747b1442a39ebfb80500123942c33826620dcb8013807411
                • Instruction Fuzzy Hash: ABD05E739441488FC7018B98D844B04FF76FF88204F0941E9E1098B323D660EC51C744
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104949857194.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5fd0000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d64638cd333e0c2284f6374ed7670878cc0613e4799dda2ea5039bda2e476d36
                • Instruction ID: d4616ebbcfd4f62b02870487103fdd247b24e6da98bc99f0366126abfcc895b5
                • Opcode Fuzzy Hash: d64638cd333e0c2284f6374ed7670878cc0613e4799dda2ea5039bda2e476d36
                • Instruction Fuzzy Hash: 1BC002752441058FC7049B58E944D11FBAAFF8861931582A4E20D8B736CA31EC91CB99
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104949857194.0000000005FD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 05FD0000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_5fd0000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 366504949ba4f2ffa4be5269a73fd9ceb255968415eb79390281d01ff01e2707
                • Instruction ID: c8fb1d64a4c28a91cb9b9f12eaff1adb525dcf731db3244c8cebf191bdee9106
                • Opcode Fuzzy Hash: 366504949ba4f2ffa4be5269a73fd9ceb255968415eb79390281d01ff01e2707
                • Instruction Fuzzy Hash: 95B09BEFA085409BE32941B59C707545752DFB0351FDB18575542C17D1E54C4C054005
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 7211d27141d96813ce3208215dffe13e8be16e1a187e5e65d63eccd913f79579
                • Instruction ID: 48e134851305037a5dd5b8cacf33c964fa807a90142b307358480104a582b4d3
                • Opcode Fuzzy Hash: 7211d27141d96813ce3208215dffe13e8be16e1a187e5e65d63eccd913f79579
                • Instruction Fuzzy Hash: D1B01231103104CBC3148F20F0090303335EB8531A31002DDDC0D05B00CB378C62CE80
                Uniqueness

                Uniqueness Score: -1.00%

                Strings
                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID: Fp^$Fp^$Fp^$Fp^$Fp^$Fp^$Fp^
                • API String ID: 0-2328339592
                • Opcode ID: c424b5e55d4d62f6fe4daf8f625643a56cc7e566d3f46be7a951c9028b61bb8e
                • Instruction ID: 9757a7fae9218cb51c4af2a97176262cd3772188afc0ea8a40fb579de050e4f3
                • Opcode Fuzzy Hash: c424b5e55d4d62f6fe4daf8f625643a56cc7e566d3f46be7a951c9028b61bb8e
                • Instruction Fuzzy Hash: F981286280F7C55FD70B9B3998A5481BFB4AD5325430A45CBC4C4CF0A7E668581ECBBA
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104951301957.0000000006590000.00000040.00000800.00020000.00000000.sdmp, Offset: 06590000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_6590000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 778f84750f238e6b4172033fcb68006a0f69be00a3843a615a77035997dab94b
                • Instruction ID: c8178ec75c0f0b60ecfed1e0aa0ac65411c502c229fe8ea972c4acfac946fc84
                • Opcode Fuzzy Hash: 778f84750f238e6b4172033fcb68006a0f69be00a3843a615a77035997dab94b
                • Instruction Fuzzy Hash: 53828125F046288FDFA9A7BD945437DA6E3BFC9710B64496DC00AEB344DE31CC058BA6
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1b60e2172dbfb2e2550a8edd77222d901dda3bd5e9392e404defa796dd422eae
                • Instruction ID: 1f289ed52fcbacb0e136de800f12ec42ff2eafd576bf105c7ed6108e2d657044
                • Opcode Fuzzy Hash: 1b60e2172dbfb2e2550a8edd77222d901dda3bd5e9392e404defa796dd422eae
                • Instruction Fuzzy Hash: 2C913A70E01209DFDF54CFA9D98479EBBF2EF88704F188529E805AB294EB749845CF91
                Uniqueness

                Uniqueness Score: -1.00%

                Memory Dump Source
                • Source File: 00000001.00000002.104927207666.0000000003050000.00000040.00000800.00020000.00000000.sdmp, Offset: 03050000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_3050000_pdfmagic.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 9bd93ed4b320eb6c24d288d4eb7be05102efc3e5fce77c1756622c3b0c4e9083
                • Instruction ID: 8c083d166c841e39f3a951e0efd86565ed9eec8367d01ff562215e0a152e457d
                • Opcode Fuzzy Hash: 9bd93ed4b320eb6c24d288d4eb7be05102efc3e5fce77c1756622c3b0c4e9083
                • Instruction Fuzzy Hash: 038146B1D013489FDB54CFA9C884BDEFBF5AF48310F14842AE815AB250DB749949CF95
                Uniqueness

                Uniqueness Score: -1.00%